From the Debian bug at $URL: The ~/.rocksndiamonds directory and its subdirectories are created as writable to anybody. This allows an attacker to overwrite arbitrary files by doing this: 1) Delete the /home/victim/.rocksndiamonds/cache/artworkinfo.cache file. 2) Create new /home/victim/.rocksndiamonds/cache/artworkinfo.cache as a symlink to a file you want to overwrite. 3) Wait until the victim runs the game. There is a proposed patch on the Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=766805.
Added the patch and rev bumped it to force it out.
Mr. bones: I see that the ebuild have alreaady all stable keywords; have you tested it on all arches?
GLSA Vote: no.
CVE-2011-4606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4606): Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory.
Vote: No, closing noglsa.