[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PISA-13-APR-00-003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.independence.seul.org/security/2000/files/PISA-13-APR-00-003:
.------------------------------------------------.
|**** Project Independence Security Advisory ****|
`-----------* ID: PISA-13-APR-00-003 *-----------'
Issued by: David Webster <cog@seul.org>
Issue Date: 13-APR-00
Overview: Part of the gpm package (gpm-root) fails to fully drop root (gid=0)
privileges when executing user commands.
Affected: All systems running gpm-root
Independence 6.0-0.8 and 6.2 prior to the above date.
References: RHSA-2000:009-02
(http://www.redhat.com/support/errata/RHSA-2000009-02.html)
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
-=-=-==-=-=-
Detailed Problem Description:
gpm is a cut and paste utility and mouse server for virtual
consoles. As part of this package, the gpm-root program allows
people to define menus and actions for display when clicking on
the background of current tty.
The current gpm-root program fails to correctly give up the group
id 0 membership for user defined menus. If you are running
gpm-root on your system then you are at risk.
Solution:
Update the affected RPM packages by downloading and
installing the RPMs listed below. For each RPM, run:
root# rpm -Fvh <filename>
where <filename> is the name of the RPM.
[Note: You need only install EITHER the compiled RPM,
(*.i386.rpm) OR the source RPM, (*.src.rpm), NOT both.]
RPMs:
http://independence.seul.org/security/2000/rpms/gpm-1.19.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/gpm-1.19.1-1.i386.rpm
Source RPMs:
http://independence.seul.org/security/2000/rpms/gpm-1.19.1-1.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.1-1.src.rpm
Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
86a800ce94206877edc4f6e88272deee gpm-1.19.1-1.i386.rpm
8dedce47f4e6aa7bbfb36d9630561cd4 gpm-1.19.1-1.src.rpm
- --------------------------------------------------------------------------
These packages are GPG signed by Red Hat, Inc. for security.
Their key is available at: http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
This security advisory, and all future ones should be signed by me,
David Webster (aka cognition) <cog@seul.org>, with key ID: 45 FA C2 83
An archive of these messages can be found on:
http://independence.seul.org/security/
[Note: these problems were discovered, and fixed by RedHat. Thanks
also go to Egmont Koblinger and the members of the Bugtraq list.]
.---------------------------------------------------.
| And problems regarding this, or future advisories |
| should be emailed to me: <cog@seul.org> |
`---------------------------------------------------'
-----BEGIN PGP SIGNATURE-----
Comment: David Webster (aka cogNiTioN) <http://www.cognite.net/>
iD8DBQE490kRDdLNO0X6woMRAjBgAKCM/IgIXXgLY0TA4XuJzqIjFUvQSACg2HDZ
ykET2pL2OqD9N9mds5gNGxA=
=IxPe
-----END PGP SIGNATURE-----