[Bug 187353] Possible security issue
bugzilla at redhat.com
bugzilla at redhat.com
Fri Apr 4 11:23:49 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Possible security issue
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
------- Additional Comments From lmacken at redhat.com 2008-04-04 07:23 EST -------
>From upstream:
" We could probably extract the relevant changes, but I don't
think that you actually need them. The real security bug is
being caused by gentoo's policy of giving users full access to
the same group as nethack's setgid setting. They shot themselves
in the foot here, by allowing users to modify the score file
outside of nethack. The lax buffer handling has been (or will
be, from a 3.4.3 perspective...) fixed, but it is not exploitable
in a standard installation where nethack runs in a group whose
files can't be manipulated by arbitrary users.
I assume that redhat/fedora doesn't have the same config
issue as gentoo. If I'm wrong, then you should change nethack
to run in a distinct group rather than--or in addition to--
patching its score file parsing code."
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fedora-triage-list
mailing list