Your message dated Thu, 28 Jul 2005 01:35:56 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#319661: fixed in xemeraldia 0.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Jul 2005 20:23:28 +0000
>From [EMAIL PROTECTED] Sat Jul 23 13:23:28 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1DwQWu-0006ek-00; Sat, 23 Jul 2005 13:23:28 -0700
Received: from dragon.kitenet.net (dpc6682244174.direcpc.com [66.82.244.174])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 115681856E
for <[EMAIL PROTECTED]>; Sat, 23 Jul 2005 20:23:25 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 63BB26E0A6; Sat, 23 Jul 2005 16:24:15 -0400 (EDT)
Date: Sat, 23 Jul 2005 16:24:15 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: sgid games program can write to any file writable by games group
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX"
Content-Disposition: inline
X-Reportbug-Version: 3.15
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: xemeraldia
Version: 0.3-29
Severity: grave
Tags: security
In the progress of removing the sgid bit from xemeraldia as a routing
preventative measure, I noticed that Xemeraldia's score file is
controlled by an X resource. Therefore, it can trivially be used to
overwrite any file on the system that can be written to by group games.
[EMAIL PROTECTED]:~>xrdb -merge
XEmeraldia*ScoreFile: /var/games/xjewel.scores
Now just run xemeraldia, lose a game, and the xjewel score file is
replaced by an xemaraldia score file.=20
It's also possible that since this can be used to feed xemeraldia
arbitrary data files, that this could be used to crash it, which would
obtain a shell owned by group games. I have not attempted this exploit.
Note that xemeraldia's own Imakefile does not install it sgid or suid to
anything, so this bug can only be exploited on systems which override
its default permissions. However, its Imakefile certianly did encourage
making it sgid/suid by setting the score file location to /usr/local/lib,
and I expect most system install it sgid. The best fix is to make it
write to a per-user score file in a user's home directory and lose the
sgid bit.
--=20
see shy jo
--huq684BweRXVnRxX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC4qdvd8HHehbQuO8RAiejAKDmAh/WWE4xsXVSlmce1ve3OtMNPgCg4Ue3
rPRcxySzQs1xyYqkvKk0b5k=
=wHLV
-----END PGP SIGNATURE-----
--huq684BweRXVnRxX--
---------------------------------------
Received: (at 319661-close) by bugs.debian.org; 28 Jul 2005 09:37:52 +0000
>From [EMAIL PROTECTED] Thu Jul 28 02:37:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1Dy3rw-00045W-00; Thu, 28 Jul 2005 01:35:56 -0700
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#319661: fixed in xemeraldia 0.4-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 28 Jul 2005 01:35:56 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: xemeraldia
Source-Version: 0.4-1
We believe that the bug you reported is fixed in the latest version of
xemeraldia, which is due to be installed in the Debian FTP archive:
xemeraldia_0.4-1.diff.gz
to pool/main/x/xemeraldia/xemeraldia_0.4-1.diff.gz
xemeraldia_0.4-1.dsc
to pool/main/x/xemeraldia/xemeraldia_0.4-1.dsc
xemeraldia_0.4-1_i386.deb
to pool/main/x/xemeraldia/xemeraldia_0.4-1_i386.deb
xemeraldia_0.4.orig.tar.gz
to pool/main/x/xemeraldia/xemeraldia_0.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joey Hess <[EMAIL PROTECTED]> (supplier of updated xemeraldia package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 23 Jul 2005 15:22:44 -0400
Source: xemeraldia
Binary: xemeraldia
Architecture: source i386
Version: 0.4-1
Distribution: unstable
Urgency: high
Maintainer: Joey Hess <[EMAIL PROTECTED]>
Changed-By: Joey Hess <[EMAIL PROTECTED]>
Description:
xemeraldia - not just another tetris clone
Closes: 319661
Changes:
xemeraldia (0.4-1) unstable; urgency=HIGH
.
* New upstream release with new upstream maintainer.
* Now uses gtk+ 2.0, and drops the app-defaults stuff and so
avoids the high score file redirection hole. Closes: #319661
* Dropped sgid bit stuff, not worth the possible security exposure.
High score file is now written to ~/.xemeraldia.scores.
* Note that if you have an existing score file, it will be preserved in
/var/games until the package is purged, but you will have to manually
copy it to your home directory to make xemeraldia see it.
* Updated watch and copyright files.
* Upated to current policy.
* Clean up the man page.
* Lintian cleanups.
Files:
9dc3fa360a0932f07085ffa6f45f7d51 615 games optional xemeraldia_0.4-1.dsc
6f000543aca2cfaf44685d440bc7300e 186841 games optional
xemeraldia_0.4.orig.tar.gz
f525bc0851abecaa8c9551998d498a44 4001 games optional xemeraldia_0.4-1.diff.gz
6eda5e3cd7570f05b96ed48a271d4390 22306 games optional xemeraldia_0.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC4r7t2tp5zXiKP0wRApjZAJ9FqW5rLdkqL0do3IK0EvZL2ONmxACeJxjH
XfpP4i7eguWyJGjyVzRw6YE=
=ALlm
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
