public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: nunojsilva@ist.utl.pt (Nuno J. Silva)
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: gentoo netheck
Date: Wed, 02 Jan 2013 00:28:36 +0200	[thread overview]
Message-ID: <877gnw5yi3.fsf@ist.utl.pt> (raw)
In-Reply-To: 20130101104432.5a742b26@khumba.net

On 2013-01-01, Bryan Gardiner wrote:

> On Wed, 2 Jan 2013 02:01:52 +0800
> Analuin Abyssbeholder <cntqrxj@gmail.com> wrote:
>
>>  Today I wanted to install nethack and found it is masked:
>> 
>>  The following mask changes are necessary to proceed:
>> #required by nethack (argument)
>> # /usr/portage/profiles/package.mask:
>> # Tavis Ormandy <taviso@gentoo.org> <taviso@gentoo.org> (21 Mar 2006)
>> # masked pending unresolved security issues #125902
>> =games-roguelike/nethack-3.4.3-r1
>> 
>> Then I googled and view
>> https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.

Well, you could have just gone to bugs.gentoo.org and searched for
125902 :-)

>> It turned out the bug has been existed for more than six years and is
>> related to gentoo's group game policy. So can I just manually install
>> nethack as a common user ?
>
> If you're the only user of your computer, you could also just unmask
> the version in Portage.  The bug is that any user in the games group
> can edit all save files, so if you want to hack your own saves, go
> ahead :).  Or if you trust all games users.

The main problem is not the cheating, but that nethack does not employ
any kind of checks on the scores file when reading it, this effectively
enables an attack vector where anyone with access to the scores file can
exploit vulnerabilities in nethack simply by writing a specially-crafted
score file.

Nethack just relies on being setgid to a group and installing the scores
file as writeable by that group. Unfortunately, that happens to be the
very same "games" group Gentoo uses to group users who are allowed to
play games, therefore rendering nethack's protection useless.

>
> Doesn't look like there's any newer version of NetHack out, either.
>
> Cheers,
> Bryan
>
>

-- 
Nuno Silva (aka njsg)
http://njsg.sdf-eu.org/



  reply	other threads:[~2013-01-01 22:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <50E32270.8000500@gmail.com>
2013-01-01 18:01 ` [gentoo-user] gentoo netheck Analuin Abyssbeholder
2013-01-01 18:12   ` Analuin Abyssbeholder
2013-01-01 18:44   ` Bryan Gardiner
2013-01-01 22:28     ` Nuno J. Silva [this message]
2013-01-02  1:21       ` [gentoo-user] " Philip Webb
2013-01-02 14:30         ` Nuno J. Silva

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877gnw5yi3.fsf@ist.utl.pt \
    --to=nunojsilva@ist.utl.pt \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox