Fedora has issued an advisory on February 11: http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html OpenSuSE has also issued an advisory for this today (July 27): http://lists.opensuse.org/opensuse-updates/2012-07/msg00051.html Mageia 1 and Mageia 2 are also affected.
Assignee: bugsquad => oliver.bgr
Patched packaged uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm
CC: (none) => oliver.bgrVersion: Cauldron => 2Assignee: oliver.bgr => qa-bugsSummary: rocksanddiamonds new security issue CVE-2011-4606 => rocksndiamonds new security issue CVE-2011-4606Whiteboard: (none) => MGA1TOO
Given the type of package, testing the security issue seems overkill to me for this one, so I'm just testing that the game works. Testing Mageia 1 32 complete. Testing procedure: - install rocksndiamonds from Core Release - install the update from Core Updates Testing - play it for 5 minutes - stop playing, the game can be addictive
CC: (none) => stormiWhiteboard: MGA1TOO => MGA1TOO has_procedure MGA1-32-OK
Testing Mageia 1 64 complete.
Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK
Actually it would be good if you could verify that it's no longer creating ~/.rocksndiamonds as world writable.
Indeed I can confirm that, although it doesn't fix the rights for an already existing directory so people have to fix it manually. Updated testing procedure: - install rocksndiamonds from Core Release - play it - check that ~/.rocksndiamonds is world writable - remove ~/.rocksndiamonds - install the update from Core Updates Testing - play it for 5 minutes - check that ~/.rocksndiamonds is not world writable - stop playing, the game can be addictive
OK. Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). Note: if you have previously played rocksndiamonds, you'll need to manually fix the permmissions (e.g. chmod 755 ~/.rocksndiamonds). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm
Trying again, this time without the typo! Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). Note: if you have previously played rocksndiamonds, you'll need to manually fix the permissions (e.g. chmod 755 ~/.rocksndiamonds). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm
Testing complete mga2 64 Before ------ $ rocksndiamonds $ ls -la | grep .rocks drwxrwxrwx 6 claire claire 4096 Jul 31 14:02 .rocksndiamonds/ After ----- $ rocksndiamonds $ ls -la | grep .rocks drwx------ 6 claire claire 4096 Jul 31 14:07 .rocksndiamonds/
Hardware: i586 => AllWhiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK mga2-64-OK
Thanks Claire. Fixing the advisory one more time to match those details. Advisory: ======================== Updated rocksndiamonds package fixes security vulnerability: Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory (CVE-2011-4606). Note: if you have previously played rocksndiamonds, you'll need to manually fix the permissions (e.g. chmod 700 ~/.rocksndiamonds). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4606 http://lists.fedoraproject.org/pipermail/package-announce/2012-February/073481.html ======================== Updated packages in core/updates_testing: ======================== rocksndiamonds-3.3.0.1-2.1.mga1 rocksndiamonds-3.3.0.1-2.1.mga2 from SRPMS: rocksndiamonds-3.3.0.1-2.1.mga1.src.rpm rocksndiamonds-3.3.0.1-2.1.mga2.src.rpm
Testing complete on Mageia 2 32 in a VM. Update validated. Se comment #9 for advisory and packages.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK mga2-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK mga2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0195
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED