[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Bug 187353] Possible security issue

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Possible security issue
Alias: CVE-2006-1390


------- Additional Comments From lmacken redhat com  2008-04-04 07:23 EST -------
>From upstream:

"     We could probably extract the relevant changes, but I don't
think that you actually need them.  The real security bug is
being caused by gentoo's policy of giving users full access to
the same group as nethack's setgid setting.  They shot themselves
in the foot here, by allowing users to modify the score file
outside of nethack.  The lax buffer handling has been (or will
be, from a 3.4.3 perspective...) fixed, but it is not exploitable
in a standard installation where nethack runs in a group whose
files can't be manipulated by arbitrary users.  

     I assume that redhat/fedora doesn't have the same config
issue as gentoo.  If I'm wrong, then you should change nethack
to run in a distinct group rather than--or in addition to--
patching its score file parsing code."

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]