Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-1390 nethack: Local privilege escalation via crafted score file Alias: CVE-2006-1390 https://bugzilla.redhat.com/show_bug.cgi?id=187353 lmacken@xxxxxxxxxx changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lmacken@xxxxxxxxxx ------- Additional Comments From lmacken@xxxxxxxxxx 2008-04-04 09:44 EST ------- (In reply to comment #8) > From me (repeating myself from comment #3): > > Although users are not in the games group on Fedora this is still a problem, > this hole allows the following scenario: > - find a sgid game which is exploitable to get games gid rights > - use the games gid rights to drop a crafted file which will > exploit nethack when opened by nethack. > - once another users runs nethack and opens the crafted file > unwanted things get done with the rights of the other user. > > So although low priority this needs fixing never the less. So, do you think we should try and get the patch from upstream, or do the same thing that you did with vultures eye and create a separate 'nethack' group ? -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
