Package: attal
Version: 1.0~rc1+cvs20080318-2
Severity: serious
Tags: security

Hello Debian Games Team,
attal includes a binary /usr/games/attal-theme-editor with a rpath
pointing to .:/usr/lib/attal.

chrpath /usr/games/*
/usr/games/attal-ai: RPATH=.:/usr/lib/attal
/usr/games/attal-campaign-editor: RPATH=.:/usr/lib/attal
/usr/games/attal-client: RPATH=.:/usr/lib/attal
/usr/games/attal-scenario-editor: RPATH=.:/usr/lib/attal
/usr/games/attal-server: RPATH=.:/usr/lib/attal
/usr/games/attal-theme-editor: RPATH=.:/usr/lib/attal

This allows an attacker with write access to the current working directory 
where attal is launched to add modified libraries which will be loaded
when someone else run attal.

Cheers,
-- 
Bill. <[EMAIL PROTECTED]>

Imagine a large red swirl here. 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to