Package: xemeraldia Version: 0.3-29 Severity: grave Tags: security In the progress of removing the sgid bit from xemeraldia as a routing preventative measure, I noticed that Xemeraldia's score file is controlled by an X resource. Therefore, it can trivially be used to overwrite any file on the system that can be written to by group games.
[EMAIL PROTECTED]:~>xrdb -merge XEmeraldia*ScoreFile: /var/games/xjewel.scores Now just run xemeraldia, lose a game, and the xjewel score file is replaced by an xemaraldia score file. It's also possible that since this can be used to feed xemeraldia arbitrary data files, that this could be used to crash it, which would obtain a shell owned by group games. I have not attempted this exploit. Note that xemeraldia's own Imakefile does not install it sgid or suid to anything, so this bug can only be exploited on systems which override its default permissions. However, its Imakefile certianly did encourage making it sgid/suid by setting the score file location to /usr/local/lib, and I expect most system install it sgid. The best fix is to make it write to a per-user score file in a user's home directory and lose the sgid bit. -- see shy jo
signature.asc
Description: Digital signature
