Date: Sat, 25 Apr 1998 14:36:26 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Minor hole in "cxhextris" on certain Linux.

Hi,

[This is a minor problem]

On my RedHat Linux systems, cxhextris has a binary called "xhextris", and
it runs under the euid "games".

-rwsr-xr-x   1 games    games       49688 Apr 25 14:02 /usr/X11R6/bin/xhextris

A bug in this program will allow local users to subvert the user "games",
perhaps using this to then hide their activities (or cheat in the high
score table!! :-)

Details:

The name of the player can optionally be taken from the environment
variable "XHEXNAME":

xio.c:    if ((name = (char *)getenv("XHEXNAME")) == NULL)

This can obviously be of an arbitrary length.

When a high score is achieved:

strcpy(high_scores[i].name, name);

This overflows a buffer on the stack of the function main().

At the same time this is fixed, the following should also be fixed:

xio.c: #ifdef LOG
       strcpy(log_message,log_name);

log_name can come from getenv("USER") on admittedly rare circumstances.

Cheers
Chris