When Ren'Py creates a zipfile, it sets the permissions for the zip members to be 666 or 777. Info-zip's unzip program overrides the user's umask when decompressing by default, so *any* code running on the same computer can modify game files if it can read the directory that they were extracted into, and thus gain access to the account that the user is playing the game in. Apple (confirmed in Lion and Jaguar), Debian (confirmed in Wheezy), and the upstream source all ship vulnerable versions of unzip.
You should be able to patch old Ren'Py versions by finding where in the launcher the zip members' external attributes are set - lines like:
Code: Select all
zi.external_attr = long(0100777) << 16
zi.external_attr = long(0100666) << 16
zi.external_attr = (long(0040777) << 16) | 0x10
and changing the 777s and 666s to 755 and 644 respectively. It's only important to change on zips - Linux tar.bz2 archives also have mode 666/777, but the Linux tar program (at least on Debian) honours umasks properly so they. Note that all-architecture zip distributions and Windows zip distributions being played using Wine *DO* have vulnerable permissions.
Nom nom nom nom nom LEAVES.