From bugzilla at redhat.com Thu Apr 3 17:11:03 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 13:11:03 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804031711.m33HB3UP024903@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |medium Priority|normal |medium Product|Fedora Extras |Fedora Alias| |CVE-2006-1390 Version|devel |rawhide fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-triage- | |list at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 17:11:06 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 13:11:06 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804031711.m33HB6mK013781@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| | bzcl34nup -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 17:11:08 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 13:11:08 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804031711.m33HB8xB013817@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 17:11:11 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 13:11:11 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804031711.m33HBBhW013848@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From fedora-triage-list at redhat.com 2008-04-03 13:11 EST ------- Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 19:14:52 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 15:14:52 -0400 Subject: [Bug 229990] CVE-2007-1030: libevent < 1.3 DoS In-Reply-To: Message-ID: <200804031914.m33JEqNV015447@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1030: libevent < 1.3 DoS https://bugzilla.redhat.com/show_bug.cgi?id=229990 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 19:14:47 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 15:14:47 -0400 Subject: [Bug 229990] CVE-2007-1030: libevent < 1.3 DoS In-Reply-To: Message-ID: <200804031914.m33JElJJ015411@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1030: libevent < 1.3 DoS https://bugzilla.redhat.com/show_bug.cgi?id=229990 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|normal |medium Product|Fedora Extras |Fedora Version|devel |rawhide fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-triage- | |list at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 19:14:50 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 15:14:50 -0400 Subject: [Bug 229990] CVE-2007-1030: libevent < 1.3 DoS In-Reply-To: Message-ID: <200804031914.m33JEoJG031371@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1030: libevent < 1.3 DoS https://bugzilla.redhat.com/show_bug.cgi?id=229990 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| | bzcl34nup -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Apr 3 19:14:54 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Apr 2008 15:14:54 -0400 Subject: [Bug 229990] CVE-2007-1030: libevent < 1.3 DoS In-Reply-To: Message-ID: <200804031914.m33JEskv031401@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1030: libevent < 1.3 DoS https://bugzilla.redhat.com/show_bug.cgi?id=229990 ------- Additional Comments From fedora-triage-list at redhat.com 2008-04-03 15:14 EST ------- Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 06:39:04 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 02:39:04 -0400 Subject: [Bug 233705] CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) In-Reply-To: Message-ID: <200804040639.m346d4Zi003804@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) Alias: CVE-2007-0654 https://bugzilla.redhat.com/show_bug.cgi?id=233705 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 06:39:02 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 02:39:02 -0400 Subject: [Bug 233705] CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) In-Reply-To: Message-ID: <200804040639.m346d2TF003770@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) Alias: CVE-2007-0654 https://bugzilla.redhat.com/show_bug.cgi?id=233705 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|normal |medium Product|Fedora Extras |Fedora Alias| |CVE-2007-0654 Version|fc6 |6 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-triage- | |list at redhat.com Status Whiteboard|impact=low,reported=20070206|impact=low,reported=20070206 |,source=secunia,embargo=2007|,source=secunia,embargo=2007 |0321 |0321 bzcl34nup ------- Additional Comments From fedora-triage-list at redhat.com 2008-04-04 02:39 EST ------- Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 07:36:21 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 03:36:21 -0400 Subject: [Bug 307471] CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities In-Reply-To: Message-ID: <200804040736.m347aLW3008927@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=307471 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-triage- | |list at redhat.com Status Whiteboard| | bzcl34nup ------- Additional Comments From fedora-triage-list at redhat.com 2008-04-04 03:36 EST ------- Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 07:36:23 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 03:36:23 -0400 Subject: [Bug 307471] CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities In-Reply-To: Message-ID: <200804040736.m347aNPL023864@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=307471 fedora-triage-list at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 08:02:39 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 04:02:39 -0400 Subject: [Bug 229990] CVE-2007-1030: libevent < 1.3 DoS In-Reply-To: Message-ID: <200804040802.m3482dwr015918@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1030: libevent < 1.3 DoS Alias: CVE-2007-1030 https://bugzilla.redhat.com/show_bug.cgi?id=229990 thoger at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2007-1030 Status|NEEDINFO |CLOSED Resolution| |ERRATA Status Whiteboard| bzcl34nup |bzcl34nup ------- Additional Comments From thoger at redhat.com 2008-04-04 04:02 EST ------- Fixed upstream version now in all current Fedora versions. libevent version in Red Hat Enterprise Linux 5 was not affected by this issue (only versions 1.2 - 1.2a were affected). -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 08:27:05 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 04:27:05 -0400 Subject: [Bug 233705] CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) In-Reply-To: Message-ID: <200804040827.m348R5lq022132@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) https://bugzilla.redhat.com/show_bug.cgi?id=233705 thoger at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |228013 nThis| | -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 08:26:36 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 04:26:36 -0400 Subject: [Bug 233705] CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) In-Reply-To: Message-ID: <200804040826.m348QaTn022027@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654) https://bugzilla.redhat.com/show_bug.cgi?id=233705 thoger at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Alias|CVE-2007-0654 | Status|NEEDINFO |CLOSED Fixed In Version| |1.2.10-35 Resolution| |CURRENTRELEASE ------- Additional Comments From thoger at redhat.com 2008-04-04 04:26 EST ------- Fixed in all current Fedora version as of version 1:1.2.10-35. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 09:33:38 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 05:33:38 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804040933.m349Xcpe019508@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| bzcl34nup |bzcl34nup Flag| |needinfo? ------- Additional Comments From j.w.r.degoede at hhs.nl 2008-04-04 05:33 EST ------- AFAIK (might have get fixed through upstream) this bug is still present in rawhide, gentoo has a patch for this here: http://bugs.gentoo.org/attachment.cgi?id=139487&action=view Worth fixing, not sure if its worth marking the fix security though IMHO. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 09:35:08 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 05:35:08 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804040935.m349Z8im005405@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Flag|needinfo? | -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 11:23:49 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 07:23:49 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804041123.m34BNniF010235@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From lmacken at redhat.com 2008-04-04 07:23 EST ------- >From upstream: " We could probably extract the relevant changes, but I don't think that you actually need them. The real security bug is being caused by gentoo's policy of giving users full access to the same group as nethack's setgid setting. They shot themselves in the foot here, by allowing users to modify the score file outside of nethack. The lax buffer handling has been (or will be, from a 3.4.3 perspective...) fixed, but it is not exploitable in a standard installation where nethack runs in a group whose files can't be manipulated by arbitrary users. I assume that redhat/fedora doesn't have the same config issue as gentoo. If I'm wrong, then you should change nethack to run in a distinct group rather than--or in addition to-- patching its score file parsing code." -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 11:30:28 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 07:30:28 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804041130.m34BUSQh011567@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From j.w.r.degoede at hhs.nl 2008-04-04 07:30 EST ------- >From me (repeating myself from comment #3): Although users are not in the games group on Fedora this is still a problem, this hole allows the following scenario: - find a sgid game which is exploitable to get games gid rights - use the games gid rights to drop a crafted file which will exploit nethack when opened by nethack. - once another users runs nethack and opens the crafted file unwanted things get done with the rights of the other user. So although low priority this needs fixing never the less. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 12:16:38 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 08:16:38 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804041216.m34CGcN6021934@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 jonstanley at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lmacken at redhat.com |security-response- | |team at redhat.com QAContact|extras-qa at fedoraproject.org | -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 12:16:17 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 08:16:17 -0400 Subject: [Bug 187353] Possible security issue In-Reply-To: Message-ID: <200804041216.m34CGHPj021867@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Possible security issue Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 jonstanley at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonstanley at gmail.com Component|nethack |vulnerability Product|Fedora |Security Response Version|rawhide |unspecified ------- Additional Comments From jonstanley at gmail.com 2008-04-04 08:16 EST ------- Changing product to Security Response -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 12:25:04 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 08:25:04 -0400 Subject: [Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file In-Reply-To: Message-ID: <200804041225.m34CP4Tx023833@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 thoger at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Possible security issue |CVE-2006-1390 nethack: Local | |privilege escalation via | |crafted score file -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 13:44:41 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 09:44:41 -0400 Subject: [Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file In-Reply-To: Message-ID: <200804041344.m34Dif1o020355@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 lmacken at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lmacken at redhat.com ------- Additional Comments From lmacken at redhat.com 2008-04-04 09:44 EST ------- (In reply to comment #8) > From me (repeating myself from comment #3): > > Although users are not in the games group on Fedora this is still a problem, > this hole allows the following scenario: > - find a sgid game which is exploitable to get games gid rights > - use the games gid rights to drop a crafted file which will > exploit nethack when opened by nethack. > - once another users runs nethack and opens the crafted file > unwanted things get done with the rights of the other user. > > So although low priority this needs fixing never the less. So, do you think we should try and get the patch from upstream, or do the same thing that you did with vultures eye and create a separate 'nethack' group ? -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 14:19:02 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 10:19:02 -0400 Subject: [Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file In-Reply-To: Message-ID: <200804041419.m34EJ22K004356@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From j.w.r.degoede at hhs.nl 2008-04-04 10:19 EST ------- (In reply to comment #10) > (In reply to comment #8) > > From me (repeating myself from comment #3): > > > > Although users are not in the games group on Fedora this is still a problem, > > this hole allows the following scenario: > > - find a sgid game which is exploitable to get games gid rights > > - use the games gid rights to drop a crafted file which will > > exploit nethack when opened by nethack. > > - once another users runs nethack and opens the crafted file > > unwanted things get done with the rights of the other user. > > > > So although low priority this needs fixing never the less. > > So, do you think we should try and get the patch from upstream, or do the same > thing that you did with vultures eye and create a separate 'nethack' group ? I vote for creating a seperate group, because AFAIK nethack needs several files under /var/games and opens / close these several times during one run of the game, making early sgid dropping, as we do with other games impossible (or atleast quite hard todo), so putting it in its own group probably is best. For more on the early sgid dropping we do, see: http://fedoraproject.org/wiki/SIGs/Games/Packaging#head-193b9a502a42098e62591d036ad9f428bb5e3474 The idea here is that if even if one manages to subvert a sgid games game, one does still not have access to gid games rights, as those have been dropt, so the damaged for a subverted game is limited to write access to that games highscore file. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 17:44:35 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 13:44:35 -0400 Subject: [Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file In-Reply-To: Message-ID: <200804041744.m34HiZ4f012579@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From metcalfegreg at qwest.net 2008-04-04 13:44 EST ------- My group count is already up to 60, with one user. IMHO, adding another for some random game is not optimal. It only life makes life harder for people writing system profiling/hardening/management tools, and systems administrators that would like to use them to manage groups of machines. A best practice for *writing* SUID/SGID programs is to use those privileges as early as possible, then revoke them. If nethack isn't doing that, I have to wonder what other problems it might have, and whether I should allow it on the system at all. I just installed it, and got this error, as I have no /etc/X11/fontpath.d/: ln: creating symbolic link `/etc/X11/fontpath.d/nethack': No such file or directory error: %post(nethack-3.4.3-16.fc7.i386) scriptlet failed, exit status 1 Installed: nethack.i386 0:3.4.3-16.fc7 Complete! So, another problem. I started it, and find the following files in var/games/nethack: -rw-rw-r-- 1 root games 0 2008-01-23 12:48 logfile -rw-rw-r-- 1 root games 0 2008-01-23 12:48 perm -rw-rw-r-- 1 root games 0 2008-01-23 12:48 record drwxrwxr-x 2 root games 4096 2008-01-23 12:48 save I quit, and logfile contains: 3.4.3 0 0 1 1 14 14 0 20080404 20080404 500 Pri Hum Fem Cha gregm,quit So it does have to write into /var/log, as current designed. Some other characteristics of the executable: $ eu-readelf -l /usr/games/nethack-3.4.3/nethack | fgrep STACK | awk '{ print $7 }' RW eu-readelf -d /usr/games/nethack-3.4.3/nethack | fgrep -q TEXTREL exits with 1, so the program contains no text relocations. So at least those bits are OK. But I wonder if this program couldn't have been better written, to use /tmp, then call a logger before exit. I just don't like the idea of adding yet another group for some random game. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 18:15:18 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 14:15:18 -0400 Subject: [Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file In-Reply-To: Message-ID: <200804041815.m34IFIUu019721@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From lmacken at redhat.com 2008-04-04 14:15 EST ------- (In reply to comment #12) > I just installed it, and got this error, as I have no /etc/X11/fontpath.d/: > ln: creating symbolic link `/etc/X11/fontpath.d/nethack': No such file or directory > error: %post(nethack-3.4.3-16.fc7.i386) scriptlet failed, exit status 1 > Installed: nethack.i386 0:3.4.3-16.fc7 > Complete! Oops! I fixed this a couple of months ago, but never pushed an update out. http://admin.fedoraproject.org/updates/F7/pending/nethack-3.4.3-17.fc7 Should fix that issue. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Apr 4 19:09:24 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Apr 2008 15:09:24 -0400 Subject: [Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file In-Reply-To: Message-ID: <200804041909.m34J9O4i030048@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 ------- Additional Comments From metcalfegreg at qwest.net 2008-04-04 15:09 EST ------- yum localinstall failed w/ "Package nethack-3.4.3-17.fc7.i386.rpm is not signed", but it went in via rpm. Link problem fixed. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.