[Pkg-nethack-devel] Bug#180535: marked as done (nethack-common: recover binary is setgid and g+w)

Debian Bug Tracking System owner@bugs.debian.org
Sat, 08 Nov 2003 19:33:16 -0600 

Your message dated Sat, 8 Nov 2003 17:31:48 -0800
with message-id <20031109013146.GA10932@firesong>
and subject line Fixed in 3.4.0-3.0woody3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Feb 2003 02:54:39 +0000
>From apathy@chaosengine.net Mon Feb 10 20:54:39 2003
Return-path: <apathy@chaosengine.net>
Received: from mail005.syd.optusnet.com.au [210.49.20.136] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 18iQZC-0000PU-00; Mon, 10 Feb 2003 20:54:39 -0600
Received: from co3031447-a (c17755.kelvn1.qld.optusnet.com.au [210.49.51.109])
	by mail005.syd.optusnet.com.au (8.11.1/8.11.1) with ESMTP id h1B2sac25799
	for <submit@bugs.debian.org>; Tue, 11 Feb 2003 13:54:37 +1100
Received: from apathy by co3031447-a with local (Exim 3.35 #1 (Debian))
	id 18iQZ3-0002Sw-00; Tue, 11 Feb 2003 12:54:29 +1000
From: apathy <apathy@chaosengine.net>
Subject: nethack-common: recover binary is setgid and g+w
To: submit@bugs.debian.org
X-Mailer: bug 3.3.10.1
Message-Id: <E18iQZ3-0002Sw-00@co3031447-a>
Date: Tue, 11 Feb 2003 12:54:29 +1000
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=0.8 required=5.0
	tests=SPAM_PHRASE_00_01
	version=2.44
X-Spam-Level: 

Package: nethack-common
Version: 3.4.0-3.0woody1
Severity: normal

a buffer overflow et al in any binary setgid games could allow the
recover binary to be replaced with a trojan.

probably low risk but recover doesn't need to be g+w

regards,
Daniel Quinlan

-- System Information
Debian Release: 3.0
Kernel Version: Linux co3031447-a 2.4.18-586tsc #1 Sun Apr 14 10:57:57 EST 2002 i586 unknown

Versions of the packages nethack-common depends on:
ii  debianutils    1.16           Miscellaneous utilities specific to Debian.
ii  libc6          2.2.5-11.2     GNU C Library: Shared libraries and Timezone
ii  xbase-clients  4.1.0-16       miscellaneous X clients

--- Begin /etc/init.d/nethack (modified conffile)
#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin
GAMEDIR=/var/games/nethack
set -e
cd $GAMEDIR
case "$1" in
  start)
    # Has the nethack package been removed?
    test -x /usr/lib/games/nethack/recover-helper || exit 0
    for file in *.0; do
    # Note "$file" is always explicitly quoted to avoid attack.
    # If there are no files, then "$file" = "*.0", which doesn't
    # exist, so we skip once through this loop and exit.
    # Also, the way this is written, some of the files may
    # disappear before we look at them.
    # Also check -L--there shouldn't be any symlinks, but if there
    # are, we aren't going to process them.
    if [ -f "$file" ] && [ ! -L "$file" ]; then
      # Use 'find' to reliably determine the file's owner user name.
      owner="$(find "$file" -maxdepth 0 -printf '%u')"
      # Refuse to recover root's nethack files.
      if [ "xroot" = "x$owner" ]; then
	echo "Ignoring root's Nethack unrecovered save file."
      else 
	echo "Recovering Nethack save files owned by $owner: "
	# "$owner" is explicitly quoted to avoid attack.
	# In particular, if the "find" command above fails,
	# so will the 'su' command below.
	# There really isn't a good safe way to pass a filename to
	# a child shell through 'su -c', so instead we use a helper
	# script running as the user which recovers everything
	# owned by that user.  This avoids the issue of quoting
	# filenames passed through the shell entirely.
	su "$owner" -c /usr/lib/games/nethack/recover-helper 
      fi
    fi
    done
    ;;
  stop|reload|restart|force-reload)
    ;;
  *)
    N=/etc/init.d/nethack 
    echo "Usage: $N {start|stop|restart|force-reload}" >&2
    exit 1
    ;;
esac

--- End /etc/init.d/nethack

--- Begin /etc/nethack/nethackrc.tty (modified conffile)
OPTIONS=windowtype:tty,toptenwin,hilite_pet,number_pad
OPTIONS=fixinv,safe_pet,sortpack,tombstone,color
OPTIONS=verbose,news,fruit:potato
OPTIONS=dogname:Slinky
OPTIONS=catname:Rex
OPTIONS=pickup_types:$
OPTIONS=nomail

--- End /etc/nethack/nethackrc.tty

---------------------------------------
Received: (at 180535-done) by bugs.debian.org; 9 Nov 2003 01:31:55 +0000
>From joshk@triplehelix.org Sat Nov 08 19:31:52 2003
Return-path: <joshk@triplehelix.org>
Received: from adsl-67-124-156-138.dsl.pltn13.pacbell.net (triplehelix.org) [67.124.156.138] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AIeQf-0007Co-00; Sat, 08 Nov 2003 19:31:49 -0600
Received: from firesong.wifi.triplehelix.org
	([192.168.0.2] helo=firesong ident=mail)
	by triplehelix.org with esmtp (Exim 4.22)
	id 1AIeQe-0003Yk-F4
	for 180535-done@bugs.debian.org; Sat, 08 Nov 2003 17:31:48 -0800
Received: from joshk by firesong with local (Exim 3.36 #1 (Debian))
	id 1AIeQe-0002qV-00
	for <180535-done@bugs.debian.org>; Sat, 08 Nov 2003 17:31:48 -0800
Date: Sat, 8 Nov 2003 17:31:48 -0800
To: 180535-done@bugs.debian.org
Subject: Fixed in 3.4.0-3.0woody3
Message-ID: <20031109013146.GA10932@firesong>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o"
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
From: Joshua Kwan <joshk@triplehelix.org>
Delivered-To: 180535-done@bugs.debian.org
X-Spam-Status: No, hits=0.0 required=4.0
	tests=none
	version=2.53-bugs.debian.org_2003_11_7
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_11_7 (1.174.2.15-2003-03-30-exp)


--IS0zKkzwUGydFO0o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

This bug has been fixed as of version 3.4.0-3.0woody3 which has
already entered the stable-security distribution and woody4 which is
soon to enter the stable distribution with Joey Schulze's next stable
bugfix release of woody.

I'm closing this bug. Please reopen if you take issue with this.

--=20
Joshua Kwan

--IS0zKkzwUGydFO0o
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iQIVAwUBP62ZAqOILr94RG8mAQI7NQ//RL8nL68m45V4oXqPSPQHGFqG2/p2OGyP
kXVtqpRBMMI84dWvlsYTy+6cxFHpe/jXsr4dJz8mDciBFjJE8NwcnZUwMRzfdVIP
RGbYlRZNGgO24JU8qbj86aGyVA5UwPTfvxR0paExn6IZzOD1dKnlxeCu6OgCvHp/
/V4o13r7YF3DT7ko6jF4if8gNX4s6PK4qBwVjnkw/WerlJzAInxtiGksGAKcIHMv
AExI9MM24EejxTpGmcPvuJHB62X9lDeoIufyFfy8rQG+LaqXgCQJJfLMQulwTZPy
iNjPHSBdJ+7irwpsqQjtH3hHX4CfoXSznoTfXny8rHak1yLi3TF8T4ppjcvtoSBB
DxPCzOyLo4QAeKVyQIDPaYDVRmou187eEjnOxQt0Hs4LatOoCZYrPZDUICo9ZHBq
Mv/in+z7+KPNt8+czmwsji4WpIb35+Gszwe/w15rUnoItlZkSzx2xabdo8iyAFRq
c8aHxbfMfOEfXL8JlB6HMS+xMeKMnfbuqbcQdGd3YCspWlJGHOhJHpVgSn9rpUwI
L2jZ+h8T9+Y+PApLPGbHVtHYv26c0heJ7kH27VhLal9RSoVOv8Kc9ZrNofX+W6jC
ffO8Ek5PK68ZwFXgmeoUhM9ZxvF8xfNTa56pD197gx5jIefnowPl+Iow5xFte2JO
6Lo9rFYOQjs=
=RQmi
-----END PGP SIGNATURE-----

--IS0zKkzwUGydFO0o--