Re: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local privilege escalation

[Tavis Ormandy <taviso () gentoo org>]

On Fri, Mar 24, 2006 at 03:26:12AM -0800, neeko () feelingsinister net wrote:
> Hello everyone.
>
> Doesn't the included text from the advisory really make it sound more like a 
> problem with their system for managing games? 

Hello, this is accurate.

> It doesn't point out any flaw 
> in nethack in general, just behavior that's unexpected/unwanted/uncontrollable
> in their system. 

There is no flaw in nethack that we're aware of, this is an interaction
between nethack and the policy used for managing games on gentoo that
results in a security problem.

> Are any other distributions/platforms vulnerable to a problem in nethack like
> this?  Sounds like it'd be big news, considering the install base of these
> games.  

Unlikely, gentoo uses a non-standard method of installing games, that is
very unlikely to be used elsewhere.

> If this problem is on their end, are other games/applications able to trigger
> it?
>
> They've essentially wiped these fundamental applications (sorry) off their
> tree for the time being, that's pretty severe.

Yes, Gentoo does not use the standard setgid system for games that store
system-wide high scores, save games, etc, and as a result anyone can
manipulate the high score tables or save games.

Nethack was simply not designed to work this way and does not expect
users to be able to modify it's state data arbitrarily, and as a result
makes assumptions about the format of the files that may not hold true
on Gentoo.

We have decided to temporarily revoke these packages while these issues
are resolved.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

Attachment: _bin
Description: