[packages/cxhextris.git] / cxhextris-security.patch

--- cxhextris/xio.c.old	Sat May  2 19:53:23 1998
+++ cxhextris/xio.c	Sat May  2 19:53:51 1998
@@ -105,6 +105,7 @@
     } else
       log_name = pwent->pw_name;
 #endif
+    init_scoreboard();
     for (i = 1; i < argc; i++) {
 	if (! strcmp(argv[i],"-rv")) {
 	    inverse = 1;
--- cxhextris/stdsys.c.old	Wed Apr  7 03:21:20 1993
+++ cxhextris/stdsys.c	Sat May  2 19:53:00 1998
@@ -89,6 +89,47 @@
     npiece->column = MAXCOLUMN / 2;
 }
 
+
+/*
+ *	Added by Alan Cox , RedHat May 1997
+ *
+ *	Xhextris isnt the cleanest of code, its also using a ton of toolkits. I've
+ *	swatted the bug reported by Chris Evans but I don't believe that this is the
+ *	right approach.
+ *
+ *	So we do it this way.
+ *
+ *	main calls init_scoreboard(). init_scoreboard drops all setuid/setgidness
+ *	_after_ opening up the scoreboard.
+ */
+ 
+static FILE *scores=NULL;
+
+void init_scoreboard(void)
+{
+	scores=fopen(HIGHSCOREFILE, "r+");
+	/* Drop em.. */
+	if(setregid(getgid(),getgid())==-1 ||
+		setreuid(getuid(),getuid())==-1)
+	{
+		perror("drop privileges");
+		exit(1);
+	}
+}
+
+static FILE *get_score_file(void)
+{
+	if(!scores)
+		return NULL;
+	rewind(scores);
+	return scores;
+}
+
+static void put_score_file(void)
+{
+	fflush(scores);
+}
+
 /* This reads in the high score file.
  */
 read_high_scores(high_scores)
@@ -96,12 +137,9 @@
 {
     int i, j;
     FILE *high_score_file;
-    char high_score_file_name[512];
     char buffer[40];
 
-    strcpy(high_score_file_name,HIGHSCOREFILE);
-    
-    if ((high_score_file = fopen(high_score_file_name , "r")) == NULL) {
+    if ((high_score_file = get_score_file()) == NULL) {
 	fprintf(stderr,"xhextris: Can't open high score file.\n");
 	return 0;
     }
@@ -124,7 +162,7 @@
 	high_scores[j].score = 0;
 	high_scores[j].rows = 0;
     }
-    fclose(high_score_file);
+    put_score_file();
     return 1;
 }
 
@@ -139,12 +177,10 @@
     char high_score_file_name[512];
     char buffer[40];
     
-    strcpy(high_score_file_name,HIGHSCOREFILE);
-    
 #ifdef AFS
     beGames();
 #endif
-    if ((high_score_file = fopen(high_score_file_name, "w")) == NULL) {
+    if ((high_score_file = get_score_file()) == NULL) {
 	fprintf(stderr,"xhextris: Can't open high score file.\n");
 	return 0;
     }
@@ -159,7 +195,7 @@
 	fwrite(buffer,sizeof(char),40,high_score_file);
     }
     fflush(high_score_file);
-    fclose(high_score_file);
+    put_score_file();
 /*    rename(tmp_high_score_file_name,high_score_file_name);*/
 #ifdef AFS
     bePlayer();
--- cxhextris/hextris.c.old	Tue Apr  6 00:55:55 1993
+++ cxhextris/hextris.c	Sat May  2 19:57:36 1998
@@ -490,8 +490,8 @@
 		high_scores[j].score = high_scores[j-1].score;
 		high_scores[j].rows = high_scores[j-1].rows;
 	    }
-	    strcpy(high_scores[i].name, name);
-	    strcpy(high_scores[i].userid, userid);
+	    strncpy(high_scores[i].name, name, sizeof(high_scores[i].name));
+	    strncpy(high_scores[i].userid, userid, sizeof(high_scores[i].userid));
 	    high_scores[i].score = score;
 	    high_scores[i].rows = rows;
 	    added = 1;
Commit	Line	Data
8a652849 JR	1	--- cxhextris/xio.c.old Sat May 2 19:53:23 1998
	2	+++ cxhextris/xio.c Sat May 2 19:53:51 1998
	3	@@ -105,6 +105,7 @@
	4	} else
	5	log_name = pwent->pw_name;
	6	#endif
	7	+ init_scoreboard();
	8	for (i = 1; i < argc; i++) {
	9	if (! strcmp(argv[i],"-rv")) {
	10	inverse = 1;
	11	--- cxhextris/stdsys.c.old Wed Apr 7 03:21:20 1993
	12	+++ cxhextris/stdsys.c Sat May 2 19:53:00 1998
	13	@@ -89,6 +89,47 @@
	14	npiece->column = MAXCOLUMN / 2;
	15	}
	16
	17	+
	18	+/*
	19	+ * Added by Alan Cox , RedHat May 1997
	20	+ *
	21	+ * Xhextris isnt the cleanest of code, its also using a ton of toolkits. I've
	22	+ * swatted the bug reported by Chris Evans but I don't believe that this is the
	23	+ * right approach.
	24	+ *
	25	+ * So we do it this way.
	26	+ *
	27	+ * main calls init_scoreboard(). init_scoreboard drops all setuid/setgidness
	28	+ * _after_ opening up the scoreboard.
	29	+ */
	30	+
	31	+static FILE *scores=NULL;
	32	+
	33	+void init_scoreboard(void)
	34	+{
	35	+ scores=fopen(HIGHSCOREFILE, "r+");
	36	+ /* Drop em.. */
	37	+ if(setregid(getgid(),getgid())==-1 \|\|
	38	+ setreuid(getuid(),getuid())==-1)
	39	+ {
	40	+ perror("drop privileges");
	41	+ exit(1);
	42	+ }
	43	+}
	44	+
	45	+static FILE *get_score_file(void)
	46	+{
	47	+ if(!scores)
	48	+ return NULL;
	49	+ rewind(scores);
	50	+ return scores;
	51	+}
	52	+
	53	+static void put_score_file(void)
	54	+{
	55	+ fflush(scores);
	56	+}
	57	+
	58	/* This reads in the high score file.
	59	*/
	60	read_high_scores(high_scores)
	61	@@ -96,12 +137,9 @@
	62	{
	63	int i, j;
	64	FILE *high_score_file;
65	- char high_score_file_name[512];
66	char buffer[40];
67
68	- strcpy(high_score_file_name,HIGHSCOREFILE);
69	-
70	- if ((high_score_file = fopen(high_score_file_name , "r")) == NULL) {
71	+ if ((high_score_file = get_score_file()) == NULL) {
72	fprintf(stderr,"xhextris: Can't open high score file.\n");
73	return 0;
74	}
75	@@ -124,7 +162,7 @@
76	high_scores[j].score = 0;
77	high_scores[j].rows = 0;
78	}
79	- fclose(high_score_file);
80	+ put_score_file();
81	return 1;
82	}
83
84	@@ -139,12 +177,10 @@
85	char high_score_file_name[512];
86	char buffer[40];
87
88	- strcpy(high_score_file_name,HIGHSCOREFILE);
89	-
90	#ifdef AFS
91	beGames();
92	#endif
93	- if ((high_score_file = fopen(high_score_file_name, "w")) == NULL) {
94	+ if ((high_score_file = get_score_file()) == NULL) {
95	fprintf(stderr,"xhextris: Can't open high score file.\n");
96	return 0;
97	}
98	@@ -159,7 +195,7 @@
99	fwrite(buffer,sizeof(char),40,high_score_file);
100	}
101	fflush(high_score_file);
102	- fclose(high_score_file);
103	+ put_score_file();
104	/* rename(tmp_high_score_file_name,high_score_file_name);*/
105	#ifdef AFS
106	bePlayer();
76cacbca	107	--- cxhextris/hextris.c.old Tue Apr 6 00:55:55 1993
76cacbca	108	+++ cxhextris/hextris.c Sat May 2 19:57:36 1998
8a652849 JR	109	@@ -490,8 +490,8 @@
	110	high_scores[j].score = high_scores[j-1].score;
	111	high_scores[j].rows = high_scores[j-1].rows;
	112	}
	113	- strcpy(high_scores[i].name, name);
	114	- strcpy(high_scores[i].userid, userid);
	115	+ strncpy(high_scores[i].name, name, sizeof(high_scores[i].name));
	116	+ strncpy(high_scores[i].userid, userid, sizeof(high_scores[i].userid));
	117	high_scores[i].score = score;
	118	high_scores[i].rows = rows;
	119	added = 1;