Making xshisen use O_EXCL when writing its rc file seems like the easiest way to fix this hole, but I don't trust it, since O_EXCL doesn't (always?) work on NFS, and a user's home directory could be on a NFS volume.
If I maintained this package I would look at its prior (miserable) security history and remove the sgid bit. A global high score file isn't worth it. -- see shy jo
signature.asc
Description: Digital signature
