[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PISA-13-APR-00-003



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.independence.seul.org/security/2000/files/PISA-13-APR-00-003:

              .------------------------------------------------.
              |**** Project Independence Security Advisory ****|
              `-----------* ID: PISA-13-APR-00-003 *-----------'
                    Issued by: David Webster <cog@seul.org>

Issue Date: 13-APR-00

Overview: Part of the gpm package (gpm-root) fails to fully drop root (gid=0)
	  privileges when executing user commands.

Affected: All systems running gpm-root 
	  Independence 6.0-0.8 and 6.2 prior to the above date.

References: RHSA-2000:009-02 
	    (http://www.redhat.com/support/errata/RHSA-2000009-02.html)
	    http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
            
                                  -=-=-==-=-=-

Detailed Problem Description:
	gpm is a cut and paste utility and mouse server for virtual
	consoles. As part of this package, the gpm-root program allows
	people to define menus and actions for display when clicking on
	the background of current tty.

	The current gpm-root program fails to correctly give up the group
	id 0 membership for user defined menus. If you are running
	gpm-root on your system then you are at risk.


Solution:

        Update the affected RPM packages by downloading and
        installing the RPMs listed below. For each RPM, run:

                root# rpm -Fvh <filename>

        where <filename> is the name of the RPM.

        [Note: You need only install EITHER the compiled RPM,
        (*.i386.rpm) OR the source RPM, (*.src.rpm), NOT both.]

RPMs:
	http://independence.seul.org/security/2000/rpms/gpm-1.19.1-1.i386.rpm
	ftp://updates.redhat.com/6.2/i386/gpm-1.19.1-1.i386.rpm


Source RPMs:
	http://independence.seul.org/security/2000/rpms/gpm-1.19.1-1.src.rpm
	ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.1-1.src.rpm

Verification:

MD5 sum                           Package Name
- --------------------------------------------------------------------------
86a800ce94206877edc4f6e88272deee  gpm-1.19.1-1.i386.rpm
8dedce47f4e6aa7bbfb36d9630561cd4  gpm-1.19.1-1.src.rpm
- --------------------------------------------------------------------------

These packages are GPG signed by Red Hat, Inc. for security.
Their key is available at: http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

This security advisory, and all future ones should be signed by me,
David Webster (aka cognition) <cog@seul.org>, with key ID: 45 FA C2 83

An archive of these messages can be found on:
http://independence.seul.org/security/

[Note: these problems were discovered, and fixed by RedHat. Thanks 
also go to Egmont Koblinger and the members of the Bugtraq list.]

        .---------------------------------------------------.
        | And problems regarding this, or future advisories |
        |      should be emailed to me: <cog@seul.org>      |
        `---------------------------------------------------'
-----BEGIN PGP SIGNATURE-----
Comment: David Webster (aka cogNiTioN) <http://www.cognite.net/>

iD8DBQE490kRDdLNO0X6woMRAjBgAKCM/IgIXXgLY0TA4XuJzqIjFUvQSACg2HDZ
ykET2pL2OqD9N9mds5gNGxA=
=IxPe
-----END PGP SIGNATURE-----