| Summary: | rocksndiamonds new security issue CVE-2011-4606 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | oliver.bgr, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/482810/ | ||
| Whiteboard: | MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK mga2-64-OK MGA2-32-OK | ||
| Source RPM: | rocksndiamonds-3.3.0.1-2.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-07-27 20:30:54 CEST
David Walser
2012-07-27 20:31:22 CEST
Assignee:
bugsquad =>
oliver.bgr Patched packaged uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm CC:
(none) =>
oliver.bgr Given the type of package, testing the security issue seems overkill to me for this one, so I'm just testing that the game works. Testing Mageia 1 32 complete. Testing procedure: - install rocksndiamonds from Core Release - install the update from Core Updates Testing - play it for 5 minutes - stop playing, the game can be addictive CC:
(none) =>
stormi Testing Mageia 1 64 complete. Whiteboard:
MGA1TOO has_procedure MGA1-32-OK =>
MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK Actually it would be good if you could verify that it's no longer creating ~/.rocksndiamonds as world writable. Indeed I can confirm that, although it doesn't fix the rights for an already existing directory so people have to fix it manually. Updated testing procedure: - install rocksndiamonds from Core Release - play it - check that ~/.rocksndiamonds is world writable - remove ~/.rocksndiamonds - install the update from Core Updates Testing - play it for 5 minutes - check that ~/.rocksndiamonds is not world writable - stop playing, the game can be addictive OK. Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). Note: if you have previously played rocksndiamonds, you'll need to manually fix the permmissions (e.g. chmod 755 ~/.rocksndiamonds). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm Trying again, this time without the typo! Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). Note: if you have previously played rocksndiamonds, you'll need to manually fix the permissions (e.g. chmod 755 ~/.rocksndiamonds). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm Testing complete mga2 64 Before ------ $ rocksndiamonds $ ls -la | grep .rocks drwxrwxrwx 6 claire claire 4096 Jul 31 14:02 .rocksndiamonds/ After ----- $ rocksndiamonds $ ls -la | grep .rocks drwx------ 6 claire claire 4096 Jul 31 14:07 .rocksndiamonds/ Hardware:
i586 =>
All Thanks Claire. Fixing the advisory one more time to match those details. Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). Note: if you have previously played rocksndiamonds, you'll need to manually fix the permissions (e.g. chmod 700 ~/.rocksndiamonds). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm Testing complete on Mageia 2 32 in a VM. Update validated. Se comment #9 for advisory and packages. Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0195 Status:
NEW =>
RESOLVED |