122845 – games-rpg/daimonin-client: insecure file creation

Bug 122845 - games-rpg/daimonin-client: insecure file creation

Summary: games-rpg/daimonin-client: insecure file creation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Gentoo Security

URL:	http://www.daimonin.net/
Whiteboard:	~3 [masked] DerCorny
Keywords:

Depends on:
Blocks:

Reported:	2006-02-14 14:17 UTC by Stefan Cornelius (RETIRED)
Modified:	2007-07-24 12:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Cornelius (RETIRED) gentoo-dev

2006-02-14 14:17:47 UTC

corny@linux /var/games/daimonin-client $ ln -s /home/corny/footest. client.log
corny@linux /var/games/daimonin-client $ ln -s /home/corny/footest.p0 bmaps.p0
then started daimonin-client -> both overwritten

seems to always create those files in /var/games/daimonin-client for me, but somebody should verify that. It also logs the password in plaintext in the logfile when creating a new character, nothing serious but maybe one could fix that on the fly.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2006-02-14 14:58:51 UTC

Confirmed in daimonin-client-0.96.6_beta3, this version is currently not stable on any security supported architecture so no glsa is nescessary, however this issue should be fixed before being marked stable.

Comment 2 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-14 19:00:22 UTC

please provide a fixed ebuild, thanks

Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-04-02 16:03:38 UTC

Hi,

Some news here ?
Is there an upstream update available ?

Comment 4 Mr. Bones. (RETIRED) gentoo-dev

2006-04-02 19:24:04 UTC

It's been package masked.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2006-04-02 19:29:00 UTC

package was never stable, so we wont need a masking GLSA. keeping bug open as enhancement.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-05 05:49:34 UTC

Games, do you want to keep this masked or should it be removed?

Comment 7 Jakub Moc (RETIRED) gentoo-dev

2006-12-16 20:22:35 UTC

# Michael Sterrett <mr_bones_@gentoo.org> (02 Apr 2006)
# masked pending unresolved security issues #122845
games-rpg/daimonin-client

About time to die?

Comment 8 Mr. Bones. (RETIRED) gentoo-dev

2006-12-16 21:30:18 UTC

No, it's still being actively developed.  Someone will fix it eventually.

Comment 9 Aniruddha 2007-03-20 19:40:21 UTC

Have we contacted the developers already? Maybe it's an good idea to let them know.

Comment 10 Aniruddha 2007-05-22 21:24:54 UTC

According to happypenguin there has been an update. Maybe it's time to re-evaluate?
http://happypenguin.org/news/

Comment 11 Todd Partridge 2007-05-24 10:18:25 UTC

Yes, beta 4 is officially running on their servers now.

Comment 12 Tristan Heaven (RETIRED) gentoo-dev

2007-05-29 22:24:09 UTC

0.9.7 writes to ~/.daimonin/

Comment 13 Aniruddha 2007-06-07 17:01:58 UTC

What is the reason it's still hardmasked?

Comment 14 Tristan Heaven (RETIRED) gentoo-dev

2007-07-24 12:00:32 UTC

(In reply to comment #13)
> What is the reason it's still hardmasked?

unmasked

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-24 12:16:21 UTC

the security issue is now solved, so I guess we can close this one. Feel free to reopen if you disagree.