Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 Hans de Goede <hdegoede@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED AssignedTo|nobody@xxxxxxxxxxxxxxxxx |hdegoede@xxxxxxxxxx Flag| |fedora-review? --- Comment #7 from Hans de Goede <hdegoede@xxxxxxxxxx> 2009-11-21 09:09:31 EDT --- Hi, Full review (md5sum, license, spec file readability, etc.) done, the package looks good. I have only one remark. I'm not completely happy with how the highscore file is handled. My problem is that toppler does not drop its sgid rights, it changes its egid, but it keeps the rights. So if someone is able to take control of the toppler process, he can then use the sgid games rights to get access to highscore files of other games, which in turn could be used to inject data into other people's processes with the purpose of taking over control of said process. I would like to see toppler patched to open the highscore file at startup (in rw mode) as the first thing in main, and then drop the sgid rights completely. This means the lock file will have to go, this lack of highscore file locking is a problem with many games in general, but one which is usually just ignored as in practice it never gets triggered. Regards, Hans -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review