|
|
Subscribe / Log in / New account

MeeGo alert MeeGo-SA-10:09 (gnomine)



From:
    	      "Ware, Ryan R" <ryan.r.ware@intel.com> 


To:
    	      "meego-security@meego.com" <meego-security@meego.com> 


Subject:
    	      [MeeGo-security] [MeeGo-SA-10:09.gnomine] Improper Permissions for
	gnomine 


Date:
    	      Wed, 7 Jul 2010 13:59:41 -0700


Message-ID:
    	      <C85A38CD.14E41%ryan.r.ware@intel.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
==
MeeGo-SA-10:09.gnomine                Security Advisory
                                                                MeeGo
Project

Topic:          Improper Permissions for gnomine

Category:       Games
Module:         gnome-games
Announced:      July 7, 2010
Affects:        MeeGo 1.0
Corrected:      July 7, 2010
MeeGo BID: 2307
CVE:  None

For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.

I.   Background

The gnome-games package is a collection of some small "five-minute"
games in a variety of styles and genres for the GNOME desktop.

II.  Problem Description

The /usr/bin/gnomine binary is setgid for the games group.  There is
no explicit reason to be setgid and this violates best known practices
for security; specifically by not using the prinicples of least
privilege and unintentionally expanding the attackable surface area of
MeeGo.

III. Impact

A security vulnerability in the gnomine would allow arbitrary code
execution as any user in the games group. (CWE-250)

IV.  Workaround

None

V.   Solution

Update to package gnome-games-2.28.0-3.1 or later.

VI. References

http://bugs.meego.com/show_bug.cgi?id=2437
http://cwe.mitre.org/data/definitions/250.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iQEcBAEBAgAGBQJMNOWEAAoJECxjfBlj7RcKU88IALfyAoJqR8fy3yLVuqClh5rm
fImj9kJ34VkMPtbT3yUkOEFaC7VC2bjQr+jZeXxZYN3CqqjWP0KZDzF0nO/Tl736
EbX1A9JygjQ5qdVgPJ6XDAk2Wls/bshYVGwjnDXxJYaVx5lX5j7r6STFYgPwo1iK
JKHaa0pSq/5amu0QonbHkpEc6LHGd8eHMNW7DA2r2BaVij23u4R0qr3LAk25ndkW
llxUTme916Z2OsFG3lnamarwBbo96F89SvCCBlnGEcnlYigquwmPW1ob36sojVst
xy3HFEGykPdYcWSWX+uiTJV3TvfZXrtv3BkA6EfHG6CpyJgX/Y7BRmcPcWE0WDE=
=7OYw
-----END PGP SIGNATURE-----

_______________________________________________
MeeGo-security mailing list
MeeGo-security@meego.com
http://lists.meego.com/listinfo/meego-security
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds