On Sun, Apr 19, 2020 at 11:10:48PM +0200, Moritz Muehlenhoff wrote: > Source: crawl > Severity: important > Tags: security > > This was assigned CVE-2020-11722: > https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html > > Patches: > https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04 > https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28
Hi! I'm aware of this issue, but Crawl as configured in Debian is not affected. Our builds are not setgid anymore, and only local play is supported (ssh and X-forwarding counting as "local"). Crawl has three user interfaces: * text (curses-like) + may be compiled with dgamelaunch support, for untrusted users * graphical SDL * graphical web (played via a browser) The Debian packaging ships only the text and SDL variants, we do not provide either dgamelaunch nor webtiles builds. So the only reason to consider patching this vulnerability is because someone might want to take Debian's .orig to compile the executable for a public server. But, public servers are notorious to pick additional customizations. That's nice when using a preferred form for modification like a git repo, but uncool with a tarball. Thus, I believe there's little point in providing a fix. Do you agree with my assessment? Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ in the beginning was the boot and root floppies and they were good. ⢿⡄⠘⠷⠚⠋⠀ -- <willmore> on #linux-sunxi ⠈⠳⣄⠀⠀⠀⠀