| ||||||||||||||||
MeeGo alert MeeGo-SA-10:09 (gnomine)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== == MeeGo-SA-10:09.gnomine Security Advisory MeeGo Project Topic: Improper Permissions for gnomine Category: Games Module: gnome-games Announced: July 7, 2010 Affects: MeeGo 1.0 Corrected: July 7, 2010 MeeGo BID: 2307 CVE: None For general information regarding MeeGo Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.MeeGo.com/>. I. Background The gnome-games package is a collection of some small "five-minute" games in a variety of styles and genres for the GNOME desktop. II. Problem Description The /usr/bin/gnomine binary is setgid for the games group. There is no explicit reason to be setgid and this violates best known practices for security; specifically by not using the prinicples of least privilege and unintentionally expanding the attackable surface area of MeeGo. III. Impact A security vulnerability in the gnomine would allow arbitrary code execution as any user in the games group. (CWE-250) IV. Workaround None V. Solution Update to package gnome-games-2.28.0-3.1 or later. VI. References http://bugs.meego.com/show_bug.cgi?id=2437 http://cwe.mitre.org/data/definitions/250.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iQEcBAEBAgAGBQJMNOWEAAoJECxjfBlj7RcKU88IALfyAoJqR8fy3yLVuqClh5rm fImj9kJ34VkMPtbT3yUkOEFaC7VC2bjQr+jZeXxZYN3CqqjWP0KZDzF0nO/Tl736 EbX1A9JygjQ5qdVgPJ6XDAk2Wls/bshYVGwjnDXxJYaVx5lX5j7r6STFYgPwo1iK JKHaa0pSq/5amu0QonbHkpEc6LHGd8eHMNW7DA2r2BaVij23u4R0qr3LAk25ndkW llxUTme916Z2OsFG3lnamarwBbo96F89SvCCBlnGEcnlYigquwmPW1ob36sojVst xy3HFEGykPdYcWSWX+uiTJV3TvfZXrtv3BkA6EfHG6CpyJgX/Y7BRmcPcWE0WDE= =7OYw -----END PGP SIGNATURE----- _______________________________________________ MeeGo-security mailing list MeeGo-security@meego.com http://lists.meego.com/listinfo/meego-security (Log in to post comments)
|
||||||||||||||||