Steve Kemp reports (in a Debian bug submission):
Due to improper bounds checking it is possible for a malicious user to gain a shell with membership group 'games'. (The binary is installed setgid games). Environmental variables are used without being bounds-checked in any way, from the source code:
highscore.c: / Use the environment variable if it exists / if ((str = getenv("XBOING_SCORE_FILE")) != NULL) strcpy(filename, str); else strcpy(filename, HIGH_SCORE_FILE);
misc.c: if ((ptr = getenv("HOME")) != NULL) (void) strcpy(dest, ptr);
Neither of these checks are boundschecked, and will allow arbitary shell code to be run.