The "snake" game from app-xemacs/games stores its score in the /tmp/snake-scores file. Someone could symlink this to a file the user doesn't want to clobber.
Reported upstream, see URL.
Fixed in CVS upstream: <http://alioth.debian.org/scm/viewvc.php/XEmacs/packages/xemacs-packages/games/snake.el?root=xemacs&r1=1.4&r2=1.5>
This is fixed with app-xemacs/games-1.20 which got added to the tree today.
Arches, please test and mark stable: =app-xemacs/games-1.20 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
amd64 done
x86 stable
Stable on alpha.
sparc stable
ppc done
ppc64 done
GLSA Vote: Yes, reluctantly.
I think this would usually get a GLSA, but this symlink vulnerability would only be relevant on a shared system, and why would you install games there in the first place? It also needs X ... I think this will never be exploited IRL. Closing noglsa, feel free to reopen.