Package: attal Version: 1.0~rc1+cvs20080318-2 Severity: serious Tags: security
Hello Debian Games Team, attal includes a binary /usr/games/attal-theme-editor with a rpath pointing to .:/usr/lib/attal. chrpath /usr/games/* /usr/games/attal-ai: RPATH=.:/usr/lib/attal /usr/games/attal-campaign-editor: RPATH=.:/usr/lib/attal /usr/games/attal-client: RPATH=.:/usr/lib/attal /usr/games/attal-scenario-editor: RPATH=.:/usr/lib/attal /usr/games/attal-server: RPATH=.:/usr/lib/attal /usr/games/attal-theme-editor: RPATH=.:/usr/lib/attal This allows an attacker with write access to the current working directory where attal is launched to add modified libraries which will be loaded when someone else run attal. Cheers, -- Bill. <[EMAIL PROTECTED]> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]