lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Mar 2006 03:26:12 -0800 (PST) From: neeko@...lingsinister.net To: bugtraq@...urityfocus.com Subject: Re: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local privilege escalation Hello everyone. Doesn't the included text from the advisory really make it sound more like a problem with their system for managing games? It doesn't point out any flaw in nethack in general, just behavior that's unexpected/unwanted/uncontrollable in their system. Are any other distributions/platforms vulnerable to a problem in nethack like this? Sounds like it'd be big news, considering the install base of these games. If this problem is on their end, are other games/applications able to trigger it? They've essentially wiped these fundamental applications (sorry) off their tree for the time being, that's pretty severe. Does anyone have any insight into this? I'm a big nethack fan.. Thanks. -- J.Roberts (Neeko) > > Description > =========== > > NetHack, Slash'EM and Falcon's Eye have been found to be incompatible > with the system used for managing games on Gentoo Linux. As a result, > they cannot be played securely on systems with multiple users. > > Impact > ====== > > A local user who is a member of group "games" may be able to modify the > state data used by NetHack, Slash'EM or Falcon's Eye to trigger the > execution of arbitrary code with the privileges of other players. > Additionally, the games may create save game files in a manner not > suitable for use on Gentoo Linux, potentially allowing a local user to > create or overwrite files with the permissions of other players. >
Powered by blists - more mailing lists