-------------------------------------------------------------------------- Debian Security Advisory DSA 345-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman July 8th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : xbl Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Ids : CAN-2003-0535 Another buffer overflow was discovered in xbl, distinct from the one addressed in DSA-327 (CAN-2003-0451), involving the -display command line option. This vulnerability could be exploited by a local attacker to gain gid 'games'.
Unless I'm missing something, I'm pretty sure this isn't an issue on Gentoo since xbl isn't installed setgid. -rwxr-x--- 1 games games 163396 Aug 17 04:21 /usr/games/bin/xbl I guess if you're running Debian you should be concerned. ;-)
who knows maybe you can get uid games ... thats a 'semi' issue
How would that be possible? The executable isn't setuid or setgid. Even if there is an exploitable bug in xbl, the program isn't run with anything other than the user's permissions and group.
err you're right ... aliz, you can send out a GLSA but be sure to note that standard gentoo installs arent affected ... the only people who are affected are those who setgid on the binary themselves
GLSA deadlock?
resolved?
Re: comment #3 your right, so changing resolution to INVALID
