lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060324171901.GB676@sdf.lonestar.org>
Date: Fri, 24 Mar 2006 17:19:01 +0000
From: Tavis Ormandy <taviso@...too.org>
To: neeko@...lingsinister.net
Cc: bugtraq@...urityfocus.com
Subject: Re: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local privilege escalation

On Fri, Mar 24, 2006 at 03:26:12AM -0800, neeko@...lingsinister.net wrote:
> Hello everyone.
> 
> Doesn't the included text from the advisory really make it sound more like a 
> problem with their system for managing games? 

Hello, this is accurate.

> It doesn't point out any flaw 
> in nethack in general, just behavior that's unexpected/unwanted/uncontrollable
> in their system. 

There is no flaw in nethack that we're aware of, this is an interaction
between nethack and the policy used for managing games on gentoo that
results in a security problem.

> Are any other distributions/platforms vulnerable to a problem in nethack like
> this?  Sounds like it'd be big news, considering the install base of these
> games.  

Unlikely, gentoo uses a non-standard method of installing games, that is
very unlikely to be used elsewhere.

> If this problem is on their end, are other games/applications able to trigger
> it?
>
> They've essentially wiped these fundamental applications (sorry) off their
> tree for the time being, that's pretty severe.

Yes, Gentoo does not use the standard setgid system for games that store
system-wide high scores, save games, etc, and as a result anyone can
manipulate the high score tables or save games.

Nethack was simply not designed to work this way and does not expect
users to be able to modify it's state data arbitrarily, and as a result
makes assumptions about the format of the files that may not hold true
on Gentoo.

We have decided to temporarily revoke these packages while these issues
are resolved.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ