Package: atris Version: 1.0.7.dfsg.1-3 Severity: serious [EMAIL PROTECTED]:~$ ls -l .atrisrc -rw-rw-rw- 1 jbr games 518 2007-03-18 12:48 .atrisrc
This is a security issue, although not of the system-hijacking variety: a world-writable file lets any local process perform a Denial of Service by filling the partition. This on its own might not rate a DSA, but bearing in mind that atris itself can function as a network client/server (exposed to whatever exploits a bad loser in a foreign country/OS might devise) I think it needs to count as an RC bug. I don't speak enough C to be sure where the problem is, but perhaps where it writes out its its rcfile there should be some use of umask? -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18.hurakan Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Versions of packages atris depends on: ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libsdl-ttf2.0-0 2.0.8-3+b1 ttf library for Simple DirectMedia ii libsdl1.2debian 1.2.11-8 Simple DirectMedia Layer ii ttf-freefont 20060501cvs-10 Freefont Serif, Sans and Mono True atris recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
