736261 – (CVE-2011-4606) VUL-0: CVE-2011-4606: rocksndiamonds: world-writable working/config directory

Bug 736261 (CVE-2011-4606) - VUL-0: CVE-2011-4606: rocksndiamonds: world-writable working/config directory

Summary: VUL-0: CVE-2011-4606: rocksndiamonds: world-writable working/config directory

Status:	RESOLVED FIXED

Alias:	CVE-2011-4606

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2011-12-12 16:32 UTC by Ludwig Nussel
Modified:	2017-03-30 12:04 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2011-12-12 16:32:23 UTC

Your friendly security team received the following report via oss-security.
Please respond ASAP.
------------------------------------------------------------------------------
Date: Mon, 12 Dec 2011 09:24:56 -0700
From: Vincent Danen <vdanen@redhat.com>
Subject: [oss-security] CVE request: rocksndiamonds world-writable working/config directory

rocksndiamonds creates its ~/.rocksndiamonds/ directory as
world-writable.  This could allow a local attacker to replace a cache
file with a symbolic link to a file they would not otherwise have access
to, and the next time the victim loaded the game, it would be
overwritten.

Could a CVE be assigned to this please?

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651620
https://bugzilla.redhat.com/show_bug.cgi?id=766805

-- 
Vincent Danen / Red Hat Security Response Team

Comment 1 Swamp Workflow Management 2011-12-12 23:00:31 UTC

bugbot adjusting priority

Comment 2 Ludwig Nussel 2011-12-13 09:54:30 UTC

CVE-2011-4606

Comment 3 Marcus Meissner 2012-07-13 07:35:40 UTC

osc mr 127799 filed.

Comment 4 Bernhard Wiedemann 2012-07-13 23:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (736261) was mentioned in
https://build.opensuse.org/request/show/127863 Factory / rocksndiamonds

Comment 5 Marcus Meissner 2012-07-27 16:29:50 UTC

released

Comment 6 Swamp Workflow Management 2012-07-27 17:08:28 UTC

openSUSE-SU-2012:0918-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 736261
CVE References: CVE-2011-4606
Sources used:
openSUSE 12.1 (src):    rocksndiamonds-3.3.0.1-84.4.1
openSUSE 11.4 (src):    rocksndiamonds-3.2.4-94.2

Comment 7 Bernhard Wiedemann 2012-08-09 08:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (736261) was mentioned in
https://build.opensuse.org/request/show/130456 Evergreen:11.2 / rocksndiamonds

Comment 8 Bernhard Wiedemann 2012-08-10 05:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (736261) was mentioned in
https://build.opensuse.org/request/show/130577 Evergreen:11.2 / rocksndiamonds