Subject: [yellowdog-updates] Yellow Dog Security Advisory: YDU-20000731-1.txt
dburcaw@terraplex.com
Date: Mon Jul 31 2000 - 23:08:42 MDT
Yellow Dog Linux Security Announcement
--------------------------------------
Package: gpm
Issue Date: July 31, 2000
Update Date: July 31, 2000
Priority: high
Advisory ID: YDU-20000731-1
1. Topic:
The gpm program shipped with a security problem.
A denial-of-service attact via /dev/gpmctl is also
possible.
2. Problem:
Two problems exist in gpm, the program used to enable mouse
control on the console when not using X Windows:
1) gpm did not perform adequate checking of setgid return values
in the gpm-root helper program. This resulted in an avenue of
attack where local users could execute arbitrary commands with
elevated group priviledges.
2) /dev/gpmctl was writable by users who were not on the console.
A user could flood the socket causing a local denial of service
attack
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command will
automatically retrieve and install the fixed version of
the gpm onto your system:
yup update gpm
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update.
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
gpm-1.19.1-1.ppc.rpm
rpm -Fvh gpm-1.19.1-1.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
02ad47b4148453760b42bd1e1c8be4b2 RPMS/gpm-1.19.1-1.ppc.rpm
93cd38f5019900eddc4cfec11cb22dc6 RPMS/gpm-devel-1.19.1-1.ppc.rpm
8dad11627d451bcf699bf05b49570b11 SRPMS/gpm-1.19.1-1.src.rpm
If you only wish to verify that each package has not been corrupted or tampered with,
examine only the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml
v
This archive was generated by hypermail 2a24 : Mon Jul 31 2000 - 23:09:10 MDT