[Secure-testing-team] Bug#684178: gpe-tetris: creates world writable directory /var/games/gpe
Andreas Beckmann
debian at abeckmann.de
Tue Aug 7 14:49:47 UTC 2012
Package: gpe-tetris
Version: 0.6.4-2
Severity: grave
Tags: security
Justification: user security hole
User: debian-qa at lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I found that gpe-tetris creates a world
writable directory and a world writable file in there:
ERROR: BAD PERMISSIONS
drwxrwxrwx 2 root root 60 Aug 7 10:18 /var/games/gpe
-rw-rw-rw- 1 root games 0 Aug 7 10:18 /var/games/gpe/gpe-tetris.dat
This allows any local user to modify and replace files in there ...
Shouldn't root:games 0664 for gpe-tetris.dat and
root:root 0755 or root:games 0775 for gpe/ be sufficient?
cheers,
Andreas
More information about the Secure-testing-team
mailing list