[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 Hans de Goede hdego...@redhat.com changed: What|Removed |Added Flag||needinfo?(xav...@bachelot.o ||rg) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #11 from Hans de Goede hdego...@redhat.com 2010-01-04 06:24:44 EDT --- Xavier, putting this on needinfo until you've got something for the highscore issue (just some bookkeeping so that this drops of my bugs needing attention list). -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #12 from Xavier Bachelot xav...@bachelot.org 2010-01-04 06:31:01 EDT --- Sure, no pb. I didn't heard back from upstream on this issue (nor on the others 1.1.4 issues either) and I hadn't had time to hack anything myself. I'll ping them again. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 David Timms dti...@iinet.net.au changed: What|Removed |Added CC||dti...@iinet.net.au --- Comment #9 from David Timms dti...@iinet.net.au 2009-11-22 05:07:39 EDT --- (In reply to comment #7) Full review (md5sum, license, spec file readability, etc.) done, the package looks good. I have only one remark. I'm not completely happy with how the highscore file is handled. Just wanted to run a possible solution past you guys: - each high score gets added to individual gamename-highscores-username.file - game loads and merges all gamename-highscores-usernames.file - sorts by high score, throws away any record below the h.s.table count. - even if you haven't made the top table, it would be nice for your best score to date to be displayed ;-) I'm still not sure about where the game, run as a user, would store such a file, possible a local .config/games/highscore file. It would make sense that while joeb is playing, only the -joeb.file needs to be writable by joeb (which works out, since it is in his directory). But when jenc is playing, and the game is playing as jenc, to display the hs table, the game needs to read all -username.file from all available home dirs; that would require all users on the machine to be able to read other user's high scores. That might also trouble selinux. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #10 from Hans de Goede hdego...@redhat.com 2009-11-22 08:23:07 EDT --- (In reply to comment #9) Just wanted to run a possible solution past you guys: - each high score gets added to individual gamename-highscores-username.file - game loads and merges all gamename-highscores-usernames.file - sorts by high score, throws away any record below the h.s.table count. - even if you haven't made the top table, it would be nice for your best score to date to be displayed ;-) user's home dirs are by default not readable by other users, so this wont work. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 Hans de Goede hdego...@redhat.com changed: What|Removed |Added Status|NEW |ASSIGNED AssignedTo|nob...@fedoraproject.org|hdego...@redhat.com Flag||fedora-review? --- Comment #7 from Hans de Goede hdego...@redhat.com 2009-11-21 09:09:31 EDT --- Hi, Full review (md5sum, license, spec file readability, etc.) done, the package looks good. I have only one remark. I'm not completely happy with how the highscore file is handled. My problem is that toppler does not drop its sgid rights, it changes its egid, but it keeps the rights. So if someone is able to take control of the toppler process, he can then use the sgid games rights to get access to highscore files of other games, which in turn could be used to inject data into other people's processes with the purpose of taking over control of said process. I would like to see toppler patched to open the highscore file at startup (in rw mode) as the first thing in main, and then drop the sgid rights completely. This means the lock file will have to go, this lack of highscore file locking is a problem with many games in general, but one which is usually just ignored as in practice it never gets triggered. Regards, Hans -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #8 from Xavier Bachelot xav...@bachelot.org 2009-11-21 17:25:19 EDT --- Thanks for the review, Hans. I'll follow up on the highscore file issue with upstream. I have already some issues going on with the 1.1.4 version, which includes some of the patches I added to 1.1.3, but also introduces some regressions. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 Tom spot Callaway tcall...@redhat.com changed: What|Removed |Added CC||tcall...@redhat.com Blocks|182235(FE-Legal)| --- Comment #6 from Tom spot Callaway tcall...@redhat.com 2009-10-06 10:40:22 EDT --- There are no current US trademarks (live or dead) for Toppler or Tower Toppler. This isn't terribly surprising since the original company died off in the early 1990s. Gameplay is not copyrightable/patentable, so there is no issue there. There is also no indication that the original source code was ever available, or used in the creation of this clone. Looks fine to me, lifting FE-Legal. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 Andrea Musuruane musur...@gmail.com changed: What|Removed |Added CC||musur...@gmail.com Blocks||182235(FE-Legal) --- Comment #5 from Andrea Musuruane musur...@gmail.com 2009-10-05 07:06:46 EDT --- Toppler is a reimplementation of an '80s game called Nebulus in Europe and Tower Toppler in the US. http://en.wikipedia.org/wiki/Nebulus_%28computer_game%29 I don't think it is acceptable for Fedora. Blocking FE-LEGAL. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #4 from Xavier Bachelot xav...@bachelot.org 2009-10-01 18:12:28 EDT --- New version : - Fix License. - Fix buffer overflow in level editor Spec URL: http://www.bachelot.org/fedora/SPECS/toppler.spec SRPM URL: http://www.bachelot.org/fedora/SRPMS/toppler-1.1.3-3.fc10.src.rpm -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #2 from Jason Tibbitts ti...@math.uh.edu 2009-09-23 03:03:35 EDT --- Have you done any security review of this package to determine whether it properly handles its setgid privileges? -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #3 from Xavier Bachelot xav...@bachelot.org 2009-09-23 03:56:00 EDT --- All the setegid magic is handled in highscore.cc and it seems to be fine to me. games privileges are dropped very early and are only used to write to the highscores file after. I'm no expert though, and another pair of eyes couldn't hurt. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review
[Bug 524992] Review Request: toppler - platform game
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=524992 --- Comment #1 from Xavier Bachelot xav...@bachelot.org 2009-09-22 18:06:56 EDT --- toppler.i586: E: non-standard-executable-perm /usr/bin/toppler 02755 toppler.i586: E: non-standard-dir-perm /var/games/toppler 0775 3 packages and 0 specfiles checked; 2 errors, 0 warnings The binary is setgid games to write to the highscores file. The highscores dir needs to be group writable to allow file creation from the binary. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Fedora-package-review mailing list Fedora-package-review@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-review