[Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file
bugzilla at redhat.com
bugzilla at redhat.com
Fri Apr 4 17:44:35 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file
Alias: CVE-2006-1390
https://bugzilla.redhat.com/show_bug.cgi?id=187353
------- Additional Comments From metcalfegreg at qwest.net 2008-04-04 13:44 EST -------
My group count is already up to 60, with one user. IMHO, adding another for some
random game is not optimal. It only life makes life harder for people writing system
profiling/hardening/management tools, and systems administrators that would like to
use them to manage groups of machines.
A best practice for *writing* SUID/SGID programs is to use those privileges as early as
possible, then revoke them. If nethack isn't doing that, I have to wonder what other
problems it might have, and whether I should allow it on the system at all.
I just installed it, and got this error, as I have no /etc/X11/fontpath.d/:
ln: creating symbolic link `/etc/X11/fontpath.d/nethack': No such file or directory
error: %post(nethack-3.4.3-16.fc7.i386) scriptlet failed, exit status 1
Installed: nethack.i386 0:3.4.3-16.fc7
Complete!
So, another problem.
I started it, and find the following files in var/games/nethack:
-rw-rw-r-- 1 root games 0 2008-01-23 12:48 logfile
-rw-rw-r-- 1 root games 0 2008-01-23 12:48 perm
-rw-rw-r-- 1 root games 0 2008-01-23 12:48 record
drwxrwxr-x 2 root games 4096 2008-01-23 12:48 save
I quit, and logfile contains:
3.4.3 0 0 1 1 14 14 0 20080404 20080404 500 Pri Hum Fem Cha gregm,quit
So it does have to write into /var/log, as current designed. Some other characteristics of
the executable:
$ eu-readelf -l /usr/games/nethack-3.4.3/nethack | fgrep STACK | awk '{ print $7 }'
RW
eu-readelf -d /usr/games/nethack-3.4.3/nethack | fgrep -q TEXTREL exits with 1, so the
program contains no text relocations. So at least those bits are OK.
But I wonder if this program couldn't have been better written, to use /tmp, then call a
logger before exit. I just don't like the idea of adding yet another group for some random
game.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fedora-triage-list
mailing list