[Bug 187353] CVE-2006-1390 nethack: Local privilege escalation via crafted score file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file
Alias: CVE-2006-1390

------- Additional Comments From metcalfegreg@xxxxxxxxx  2008-04-04 13:44 EST -------
My group count is already up to 60, with one user. IMHO, adding another for some 
random game is not optimal. It only life makes life harder for people writing system 
profiling/hardening/management tools, and systems administrators that would like to 
use them to manage groups of machines. 

A best practice for *writing* SUID/SGID programs is to use those privileges as early as 
possible, then revoke them. If nethack isn't doing that, I have to wonder what other 
problems it might have, and whether I should allow it on the system at all.

I just installed it, and got this error, as I have no /etc/X11/fontpath.d/:
ln: creating symbolic link `/etc/X11/fontpath.d/nethack': No such file or directory
error: %post(nethack-3.4.3-16.fc7.i386) scriptlet failed, exit status 1
Installed: nethack.i386 0:3.4.3-16.fc7
So, another problem.

I started it, and find the following files in var/games/nethack:
-rw-rw-r-- 1 root games    0 2008-01-23 12:48 logfile
-rw-rw-r-- 1 root games    0 2008-01-23 12:48 perm
-rw-rw-r-- 1 root games    0 2008-01-23 12:48 record
drwxrwxr-x 2 root games 4096 2008-01-23 12:48 save
I quit, and logfile contains:
3.4.3 0 0 1 1 14 14 0 20080404 20080404 500 Pri Hum Fem Cha gregm,quit

So it does have to write into /var/log, as current designed. Some other characteristics of 
the executable:
$ eu-readelf -l /usr/games/nethack-3.4.3/nethack | fgrep STACK | awk '{ print $7 }'
eu-readelf -d /usr/games/nethack-3.4.3/nethack | fgrep -q TEXTREL exits with 1, so the 
program contains no text relocations. So at least those bits are OK.

But I wonder if this program couldn't have been better written, to use /tmp, then call a 
logger before exit. I just don't like the idea of adding yet another group for some random 

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Fedora-security-list mailing list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux