[VIM] Re: lbreakout security question (fwd)
security curmudgeon
jericho at attrition.org
Tue May 17 15:11:26 EDT 2005
---------- Forwarded message ----------
From: Michael Speck <speck.michael at gmail.com>
To: security curmudgeon <jericho at attrition.org>
Date: Tue, 17 May 2005 14:59:52 +0200
Subject: Re: lbreakout security question
Hi,
The patch from Ulf I applied this time was about bad snprintf calls. I
think I very distantly remember about getting a patch (actually some
since other games were affected too) about the HOME environment
variable. I'm quite sure I applied this one even if I did not mention
it. However, I no longer have this patch floating around and don't
know what the problem was so I cannot confirm 100%. But I'm quite sure
though.
regards,
Michael
On 5/16/05, security curmudgeon <jericho at attrition.org> wrote:
>
> Hello,
>
> I work with the Open Security Vulnerability Database (osvdb.org) and am
> trying to determine something about the security problems reported in the
> lbreakout game. Around Feb 22, 2004 Ulf Harnhammar from Debian found a
> local overflow in the HOME environment variable. Debian provided a patch
> for their users, but there was no indication if the original package was
> updated with a fix.
>
> A couple days ago, the Freshmeat mail list indicated a new version of
> lbreakout was available. Checking the details, it said that a security
> patch was applied. The changelog credits "U.H." (Ulf Harnhammar I assume)
> but shows a date of 05/02/14, about one year after the overflow issue.
>
> Can you confirm if these are the same vulnerability?
>
> Thanks!
>
> Brian
> OSVDB.org
>
> references:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0158
> http://www.debian.org/security/2004/dsa-445
>
>
More information about the VIM
mailing list