← Back to team overview

registry team mailing list archive

  1. registry team
  2. Mailing list archive
  3. Message #32201

[Bug 696810] [NEW] RM: pytris -- RoM; security issues; abandoned upstream

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Imported from Debian bug 608689:

Package: pytris
Version: 0.98+nmu1
Severity: grave
Tags: security
Justification: user security hole

The setgid wrapper for this game makes no attempt at security.

It can trivially be used to execute code as group games, which can be
used to exploit other players of the game via the score file.

It could be fixed - the security team suggests dropping the shared score
file, and thus the wrapper. However, this package has not seen a
maintainer upload in years, and is stated as being unmaintained by the
author, on his website:
http://korpus.juls.savba.sk/~garabik/software/

I believe the best solution is removal, from unstable, squeeze, and
lenny.

Radovan, are you OK with reassigning this to ftp.debian.org?

SR

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pytris depends on:
ii  python                  2.6.6-3+squeeze4 interactive high-level object-orie

pytris recommends no packages.

pytris suggests no packages.

-- no debconf information

** Affects: pytris (Ubuntu)
     Importance: High
         Status: Confirmed

** Affects: pytris (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #608689
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608689

** Also affects: pytris (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608689
   Importance: Unknown
       Status: Unknown

** This bug has been flagged as a security vulnerability

** Changed in: pytris (Ubuntu)
   Importance: Undecided => High

** Changed in: pytris (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.
https://bugs.launchpad.net/bugs/696810

Title:
  RM: pytris -- RoM; security issues; abandoned upstream

Follow ups

References

  Thread PreviousDate PreviousThread Next