[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file
Alias: CVE-2006-1390

https://bugzilla.redhat.com/show_bug.cgi?id=187353





------- Additional Comments From j w r degoede hhs nl  2008-04-04 10:19 EST -------
(In reply to comment #10)
> (In reply to comment #8)
> > From me (repeating myself from comment #3):
> > 
> > Although users are not in the games group on Fedora this is still a problem,
> > this hole allows the following scenario:
> > - find a sgid game which is exploitable to get games gid rights
> > - use the games gid rights to drop a crafted file which will
> >   exploit nethack when opened by nethack.
> > - once another users runs nethack and opens the crafted file
> >   unwanted things get done with the rights of the other user.
> > 
> > So although low priority this needs fixing never the less.
> 
> So, do you think we should try and get the patch from upstream, or do the same
> thing that you did with vultures eye and create a separate 'nethack' group ?

I vote for creating a seperate group, because AFAIK nethack needs several files
under /var/games and opens / close these several times during one run of the
game, making early sgid dropping, as we do with other games impossible (or
atleast quite hard todo), so putting it in its own group probably is best.

For more on the early sgid dropping we do, see:
http://fedoraproject.org/wiki/SIGs/Games/Packaging#head-193b9a502a42098e62591d036ad9f428bb5e3474

The idea here is that if even if one manages to subvert a sgid games game, one
does still not have access to gid games rights, as those have been dropt, so the
damaged for a subverted game is limited to write access to that games highscore
file.


-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]