COMMAND

    squake

SYSTEMS AFFECTED

    Linux

PROBLEM

    This originally came from Greg Alexander.  Linux squake security
    hole provides root if squake is installed mode 4755.

    If you call  vga_init() at the  beginning of main(),  no problemo.
    If you call  it later then  everything executed before  vga_init()
    will be run  as root.   Quake is a  very easy program  to cause to
    segfault.

    If a program can be made to segfault while it is being run as
    root, it is almost always capable to obtain root.  There are
    probably several segfault opportunities, but the most obvious is
    in the commandline parsing:

        squake -game aaaaaaaaaaaaaa (you have 152 a here in total)

    will segfault you any time.

SOLUTION

    The  fix  is  simple  --  move  the  vga_init()  call  back to the
    beginning of main.   You may want  to put the  svgalib main  stuff
    into it's own file so you don't have to do the ugliness of  adding
    a vga_init() { } into the X  and other platform files.  It can  be
    temporarily pseudo-fixed by merely doing:

        chown root.console squake
        chmod 4750 squake

    and make sure that only trusted individuals are in group console.