Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: nunojsilva@ist.utl.pt (Nuno J. Silva)
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: gentoo netheck
Date: Tue, 01 Jan 2013 22:26:33
Message-Id: 877gnw5yi3.fsf@ist.utl.pt
In Reply to: Re: [gentoo-user] gentoo netheck by Bryan Gardiner
1 On 2013-01-01, Bryan Gardiner wrote:
2
3 > On Wed, 2 Jan 2013 02:01:52 +0800
4 > Analuin Abyssbeholder <cntqrxj@×××××.com> wrote:
5 >
6 >> Today I wanted to install nethack and found it is masked:
7 >>
8 >> The following mask changes are necessary to proceed:
9 >> #required by nethack (argument)
10 >> # /usr/portage/profiles/package.mask:
11 >> # Tavis Ormandy <taviso@g.o> <taviso@g.o> (21 Mar 2006)
12 >> # masked pending unresolved security issues #125902
13 >> =games-roguelike/nethack-3.4.3-r1
14 >>
15 >> Then I googled and view
16 >> https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.
17
18 Well, you could have just gone to bugs.gentoo.org and searched for
19 125902 :-)
20
21 >> It turned out the bug has been existed for more than six years and is
22 >> related to gentoo's group game policy. So can I just manually install
23 >> nethack as a common user ?
24 >
25 > If you're the only user of your computer, you could also just unmask
26 > the version in Portage. The bug is that any user in the games group
27 > can edit all save files, so if you want to hack your own saves, go
28 > ahead :). Or if you trust all games users.
29
30 The main problem is not the cheating, but that nethack does not employ
31 any kind of checks on the scores file when reading it, this effectively
32 enables an attack vector where anyone with access to the scores file can
33 exploit vulnerabilities in nethack simply by writing a specially-crafted
34 score file.
35
36 Nethack just relies on being setgid to a group and installing the scores
37 file as writeable by that group. Unfortunately, that happens to be the
38 very same "games" group Gentoo uses to group users who are allowed to
39 play games, therefore rendering nethack's protection useless.
40
41 >
42 > Doesn't look like there's any newer version of NetHack out, either.
43 >
44 > Cheers,
45 > Bryan
46 >
47 >
48
49 --
50 Nuno Silva (aka njsg)
51 http://njsg.sdf-eu.org/

Replies

Subject Author
Re: [gentoo-user] Re: gentoo netheck Philip Webb <purslow@××××××××.net>
Report Message
Find on MARC Find on Google Groups