[Bug 524992] Review Request: toppler - platform game
bugzilla at redhat.com
bugzilla at redhat.com
Sat Nov 21 14:09:33 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=524992
Hans de Goede <hdegoede at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
AssignedTo|nobody at fedoraproject.org |hdegoede at redhat.com
Flag| |fedora-review?
--- Comment #7 from Hans de Goede <hdegoede at redhat.com> 2009-11-21 09:09:31 EDT ---
Hi,
Full review (md5sum, license, spec file readability, etc.) done, the package
looks good. I have only one remark. I'm not completely happy with how the
highscore file is handled.
My problem is that toppler does not drop its sgid rights, it changes its egid,
but it keeps the rights. So if someone is able to take control of the toppler
process, he can then use the sgid games rights to get access to highscore files
of other games, which in turn could be used to inject data into other people's
processes with the purpose of taking over control of said process.
I would like to see toppler patched to open the highscore file at startup
(in rw mode) as the first thing in main, and then drop the sgid rights
completely.
This means the lock file will have to go, this lack of highscore file locking
is a problem with many games in general, but one which is usually just ignored
as in practice it never gets triggered.
Regards,
Hans
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-package-review
mailing list