On Fri, Mar 24, 2006 at 03:26:12AM -0800, neeko@feelingsinister.net wrote:
Hello everyone.
Doesn't the included text from the advisory really make it sound more like a
problem with their system for managing games?
Hello, this is accurate.
It doesn't point out any flaw
in nethack in general, just behavior that's unexpected/unwanted/uncontrollable
in their system.
There is no flaw in nethack that we're aware of, this is an interaction
between nethack and the policy used for managing games on gentoo that
results in a security problem.
Are any other distributions/platforms vulnerable to a problem in nethack like
this? Sounds like it'd be big news, considering the install base of these
games.
Unlikely, gentoo uses a non-standard method of installing games, that is
very unlikely to be used elsewhere.
If this problem is on their end, are other games/applications able to trigger
it?
They've essentially wiped these fundamental applications (sorry) off their
tree for the time being, that's pretty severe.
Yes, Gentoo does not use the standard setgid system for games that store
system-wide high scores, save games, etc, and as a result anyone can
manipulate the high score tables or save games.
Nethack was simply not designed to work this way and does not expect
users to be able to modify it's state data arbitrarily, and as a result
makes assumptions about the format of the files that may not hold true
on Gentoo.
We have decided to temporarily revoke these packages while these issues
are resolved.
Thanks, Tavis.
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my pgp key.
-------------------------------------------------------
pgpz1vtDPPvgh.pgp
Description: PGP signature
