From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A3234138232 for ; Tue, 1 Jan 2013 22:26:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BEF5721C02F; Tue, 1 Jan 2013 22:26:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 20D1021C02F for ; Tue, 1 Jan 2013 22:25:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 4A9D133C2F0 for ; Tue, 1 Jan 2013 22:25:11 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -0.144 X-Spam-Level: X-Spam-Status: No, score=-0.144 tagged_above=-999 required=5.5 tests=[AWL=-0.132, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENe9vYOFAZw7 for ; Tue, 1 Jan 2013 22:25:04 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B8F6433BECC for ; Tue, 1 Jan 2013 22:25:03 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TqAGo-00054q-Hx for gentoo-user@gentoo.org; Tue, 01 Jan 2013 23:25:14 +0100 Received: from rej2.kyla.fi ([82.130.49.146]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 01 Jan 2013 23:25:14 +0100 Received: from nunojsilva by rej2.kyla.fi with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 01 Jan 2013 23:25:14 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: nunojsilva@ist.utl.pt (Nuno J. Silva) Subject: [gentoo-user] Re: gentoo netheck Date: Wed, 02 Jan 2013 00:28:36 +0200 Message-ID: <877gnw5yi3.fsf@ist.utl.pt> References: <50E32270.8000500@gmail.com> <20130101104432.5a742b26@khumba.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: rej2.kyla.fi User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) Cancel-Lock: sha1:L8D79d222f40B0kupKSPuIKqwrE= X-Archives-Salt: bfff5a14-f39b-456a-adfa-7cb17d47c8f5 X-Archives-Hash: 1a259e2d7b71cb0f56c0924021a6bf2f On 2013-01-01, Bryan Gardiner wrote: > On Wed, 2 Jan 2013 02:01:52 +0800 > Analuin Abyssbeholder wrote: > >> Today I wanted to install nethack and found it is masked: >> >> The following mask changes are necessary to proceed: >> #required by nethack (argument) >> # /usr/portage/profiles/package.mask: >> # Tavis Ormandy (21 Mar 2006) >> # masked pending unresolved security issues #125902 >> =games-roguelike/nethack-3.4.3-r1 >> >> Then I googled and view >> https://bugs.gentoo.org/show_bug.cgi?id=125902#c82. Well, you could have just gone to bugs.gentoo.org and searched for 125902 :-) >> It turned out the bug has been existed for more than six years and is >> related to gentoo's group game policy. So can I just manually install >> nethack as a common user ? > > If you're the only user of your computer, you could also just unmask > the version in Portage. The bug is that any user in the games group > can edit all save files, so if you want to hack your own saves, go > ahead :). Or if you trust all games users. The main problem is not the cheating, but that nethack does not employ any kind of checks on the scores file when reading it, this effectively enables an attack vector where anyone with access to the scores file can exploit vulnerabilities in nethack simply by writing a specially-crafted score file. Nethack just relies on being setgid to a group and installing the scores file as writeable by that group. Unfortunately, that happens to be the very same "games" group Gentoo uses to group users who are allowed to play games, therefore rendering nethack's protection useless. > > Doesn't look like there's any newer version of NetHack out, either. > > Cheers, > Bryan > > -- Nuno Silva (aka njsg) http://njsg.sdf-eu.org/