Bug#489988: projectl: Creates file in current working directory
Hi, On Thu, 2008-07-10 at 10:19:55 +, Miriam Ruiz wrote: I'll try to fix it as soon as I can,. I guess it would be really nice if you could follow the XDG base dir spec while you are at it. thanks, guillem -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#489988: projectl: Creates file in current working directory
I'll try to fix it as soon as I can,. Thanks, Miry __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#489988: projectl: Creates file in current working directory
Hi Guillem,
* Guillem Jover [EMAIL PROTECTED] [2008-07-09 09:19]:
This game creates the file projectL.prf on the current working dir
every time it's run. It should probably create it under a dot dir on
the home dir. Setting as important as this might be a security problem
(it might even well be RC).
The code that does this seems to be the following from br/prefmanager.d:
34 public void save(){
35 auto File fd = new File;
36 fd.create(PREF_FILE);
37 fd.write(VERSION_NUM);
38 _prefData.save(fd);
39 fd.close();
40 }
41 public PrefData prefData() {
42 return _prefData;
43 }
Anyone knows if this would follow symlinks and thus opening a symlink attack
here?
I have no idea of the d programing language.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpM7NDONBWQk.pgp
Description: PGP signature
Bug#489988: projectl: Creates file in current working directory
Hi,
* Nico Golde [EMAIL PROTECTED] [2008-07-09 13:37]:
* Guillem Jover [EMAIL PROTECTED] [2008-07-09 09:19]:
This game creates the file projectL.prf on the current working dir
every time it's run. It should probably create it under a dot dir on
the home dir. Setting as important as this might be a security problem
(it might even well be RC).
The code that does this seems to be the following from br/prefmanager.d:
34 public void save(){
35 auto File fd = new File;
36 fd.create(PREF_FILE);
37 fd.write(VERSION_NUM);
38 _prefData.save(fd);
39 fd.close();
40 }
41 public PrefData prefData() {
42 return _prefData;
43 }
Anyone knows if this would follow symlinks and thus opening a symlink attack
here?
I have no idea of the d programing language.
Or can you send an strace of the process to the bug report?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp7Kfea8mZUr.pgp
Description: PGP signature
Bug#489988: projectl: Creates file in current working directory
On Wed, 2008-07-09 at 13:16:04 +0200, Nico Golde wrote:
Hi Guillem,
* Guillem Jover [EMAIL PROTECTED] [2008-07-09 09:19]:
This game creates the file projectL.prf on the current working dir
every time it's run. It should probably create it under a dot dir on
the home dir. Setting as important as this might be a security problem
(it might even well be RC).
The code that does this seems to be the following from br/prefmanager.d:
34 public void save(){
35 auto File fd = new File;
36 fd.create(PREF_FILE);
37 fd.write(VERSION_NUM);
38 _prefData.save(fd);
39 fd.close();
40 }
41 public PrefData prefData() {
42 return _prefData;
43 }
Anyone knows if this would follow symlinks and thus opening a symlink
attack here?
I have no idea of the d programing language.
I tested this yesterday and it does follow symlinks.
regrads,
guillem
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#489988: projectl: Creates file in current working directory
Hi Guillem,
* Guillem Jover [EMAIL PROTECTED] [2008-07-09 16:36]:
On Wed, 2008-07-09 at 13:16:04 +0200, Nico Golde wrote:
* Guillem Jover [EMAIL PROTECTED] [2008-07-09 09:19]:
This game creates the file projectL.prf on the current working dir
every time it's run. It should probably create it under a dot dir on
the home dir. Setting as important as this might be a security problem
(it might even well be RC).
The code that does this seems to be the following from br/prefmanager.d:
34 public void save(){
35 auto File fd = new File;
36 fd.create(PREF_FILE);
37 fd.write(VERSION_NUM);
38 _prefData.save(fd);
39 fd.close();
40 }
41 public PrefData prefData() {
42 return _prefData;
43 }
Anyone knows if this would follow symlinks and thus opening a symlink
attack here?
I have no idea of the d programing language.
I tested this yesterday and it does follow symlinks.
I had a brief look at the rest of the code, can you confirm
that this happens when quitting the game?
Added this to the security tracker and I'll request a CVE id
for it. Thanks for the heads up!
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpFG22X65hYB.pgp
Description: PGP signature
Bug#489988: projectl: Creates file in current working directory
Package: projectl Version: 1.001.dfsg1-1 Severity: important Tags: security Hi, This game creates the file projectL.prf on the current working dir every time it's run. It should probably create it under a dot dir on the home dir. Setting as important as this might be a security problem (it might even well be RC). regards, guillem -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
