Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local privilege escalation
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1612

PostPosted: Thu Mar 23, 2006 10:26 pm    Post subject: [ GLSA 200603-23 ] NetHack, Slash'EM, Falcon's Eye: Local pr Reply with quote

Gentoo Linux Security Advisory

Title: NetHack, Slash'EM, Falcon's Eye: Local privilege escalation (GLSA 200603-23)
Severity: normal
Exploitable: local
Date: March 23, 2006
Updated: March 30, 2006
Bug(s): #125902, #122376, #127167, #127319
ID: 200603-23

Synopsis


NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege
escalation vulnerabilities that could potentially allow the execution of
arbitrary code as other users.


Background


NetHack is the classic single player dungeon exploration game. Slash'EM
and Falcon's Eye are NetHack variants.


Affected Packages

Package: games-roguelike/nethack
Vulnerable: <= 3.4.3-r1
Architectures: All supported architectures

Package: games-roguelike/falconseye
Vulnerable: <= 1.9.4a
Architectures: All supported architectures

Package: games-roguelike/slashem
Vulnerable: <= 0.0.760
Architectures: All supported architectures


Description


NetHack, Slash'EM and Falcon's Eye have been found to be incompatible
with the system used for managing games on Gentoo Linux. As a result,
they cannot be played securely on systems with multiple users.


Impact


A local user who is a member of group "games" may be able to modify the
state data used by NetHack, Slash'EM or Falcon's Eye to trigger the
execution of arbitrary code with the privileges of other players.
Additionally, the games may create save game files in a manner not
suitable for use on Gentoo Linux, potentially allowing a local user to
create or overwrite files with the permissions of other players.


Workaround


Do not add untrusted users to the "games" group.


Resolution


NetHack has been masked in Portage pending the resolution of these
issues. Vulnerable NetHack users are advised to uninstall the package
until further notice.
Code:
# emerge --ask --verbose --unmerge "games-roguelike/nethack"

Slash'EM has been masked in Portage pending the resolution of these
issues. Vulnerable Slash'EM users are advised to uninstall the package
until further notice.
Code:
# emerge --ask --verbose --unmerge "games-roguelike/slashem"

Falcon's Eye has been masked in Portage pending the resolution of these
issues. Vulnerable Falcon's Eye users are advised to uninstall the
package until further notice.
Code:
# emerge --ask --verbose --unmerge "games-roguelike/falconseye"


References

CVE-2006-1390


Last edited by GLSA on Wed Feb 17, 2010 4:21 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum