thr3ads.net - Secure testing team - [Secure-testing-team] Bug#684178: gpe-tetris: creates world writable directory /var/games/gpe [Aug 2012]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Andreas Beckmann

2012-Aug-07 14:49 UTC

[Secure-testing-team] Bug#684178: gpe-tetris: creates world writable directory /var/games/gpe

Package: gpe-tetris
Version: 0.6.4-2
Severity: grave
Tags: security
Justification: user security hole
User: debian-qa at lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I found that gpe-tetris creates a world
writable directory and a world writable file in there:

  ERROR: BAD PERMISSIONS
  drwxrwxrwx 2 root root  60 Aug  7 10:18 /var/games/gpe
  -rw-rw-rw- 1 root games  0 Aug  7 10:18 /var/games/gpe/gpe-tetris.dat

This allows any local user to modify and replace files in there ...

Shouldn''t root:games 0664 for gpe-tetris.dat and
root:root 0755 or root:games 0775 for gpe/ be sufficient?


cheers,

Andreas

Secure testing team - Aug 2012 - Bug#684178: gpe-tetris: creates world writable directory /var/games/gpe

[Secure-testing-team] Bug#684178: gpe-tetris: creates world writable directory /var/games/gpe