Comment 1 Mr. Bones. (RETIRED) 2004-12-01 12:56:26 UTC

This isn't a security issue.  Please tone down this bug to normal and assign it to the games team for normal processing.

Comment 2 Dan Margolis (RETIRED) 2004-12-01 13:09:01 UTC

Whoops. I just assumed that it was from it being from Ulf. My fault. 

Well, it's a very small security issue.

// Ulf

Comment 4 Dan Margolis (RETIRED) 2004-12-01 13:39:47 UTC

Right. I hadn't bothered to check the patch before (oops!). The env variable issue I wouldn't ordinarily worry about so much (as it's unlikely that anyone can set another user's vars), but there is also an issue where someone who can write to the high scores file can cause an overflow.

This is low priority, but it IS a security issue. Technically, it's a B2, though a relatively low severity one. Nonetheless, I'm going to reassign to security so that they can issue a GLSA, if they desire. 

(sorry for the back and forth.)

Comment 5 Mr. Bones. (RETIRED) 2004-12-01 17:10:51 UTC

added the patch to cvs, rev bumped, and removed the old version.  Proceed with the glsa at your pleasure.

Comment 6 Luke Macken (RETIRED) 2004-12-01 18:55:09 UTC

Security, please vote on GLSA.

Comment 7 Thierry Carrez (RETIRED) 2004-12-02 01:59:39 UTC

OK, so is it (1) every rockdodger user share the same writeable highscore file and so could trigger an overflow by writing something malicious in that file and having another user view it ?

Or (2) all users have separate highscore files so this would only be restricted to the same user ?

If this is (1) it could be worth a GLSA, but if this is (2) it's not worth it...

Comment 8 Mr. Bones. (RETIRED) 2004-12-02 02:00:57 UTC

It's (1) which is why I fixed is so fast.  (2) I probably would have ignored.

Comment 9 Thierry Carrez (RETIRED) 2004-12-02 04:15:29 UTC

So it's a B4 (B2 needs a remote attacker, B1 needs root escalation): Local user may be able to execute code with the rights of another user. I sure hope root doesn't play rockdodger. Security, please vote.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2004-12-02 04:56:09 UTC

I vote for no GLSA on this one.

Does the use of "dogamesbin" mean that rockdodger is setgid games on Gentoo? If it is, the environment variable bug can be exploited to gain a gid games shell. If it's not setgid or setuid anything, that part is just a crash bug.

(I don't run Gentoo yet, and I found the eclass stuff a bit hard to follow, so I had to ask..)

// Ulf

Comment 12 Mr. Bones. (RETIRED) 2004-12-02 15:47:21 UTC

no it's not setuid or setgid.  Only the highscore part of the bug is a concern.

Comment 13 Luke Macken (RETIRED) 2004-12-03 06:48:51 UTC

I vote no glsa.

Comment 14 Thierry Carrez (RETIRED) 2004-12-03 07:35:22 UTC

Closed as a silent fix. Thx Ulf and keep up the good work :)