Published:
16 April 2000
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.067 -- RHSA-2000:009-02 New gpm packages available 17 April 2000 =========================================================================== Red Hat, Inc. has released the following advisory concerning a vulnerability in the gpm-root program shipped with Red Hat Linux on several architectures. The gpm-root (part of the gpm packge) fails to drop gid 0 privileges when executing user commands. This vulnerability may allow local console users to gain privileged access. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: gpm Advisory ID: RHSA-2000:009-02 Issue date: 2000-04-07 Updated on: 2000-04-10 Product: Red Hat Linux Keywords: gpm gpm-root gid 0 priviledge Cross references: N/A - - --------------------------------------------------------------------- 1. Topic: gpm-root (part of the gpm packge) fails to drop gid 0 priviledges when executing user commands. 2. Relevant releases/architectures: Red Hat Linux 4.2 - alpha i386 sparc Red Hat Linux 5.2 - i386 alpha sparc Red Hat Linux 6.0 - alpha i386 sparc Red Hat Linux 6.1 - i386 alpha sparc Red Hat Linux 6.2 - alpha i386 sparc 3. Problem description: gpm is a cut and paste utility and mouse server for virtual consoles. As part of this package, the gpm-root program allows people to define menus and actions for display when clicking on the background of current tty. The current gpm-root program fails to correctly give up the group id 0 membership for user defined menus. If you are running gpm-root on your system then you are at risk. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 10340 - Exploit in gpm-root. 10644 - gpm security problem in gpm-root 6. Obsoleted by: N/A 7. Conflicts with: N/A 8. RPMs required: Red Hat Linux 4.2: alpha: ftp://updates.redhat.com/4.2/alpha/gpm-1.19.1-0.4.2.alpha.rpm intel: ftp://updates.redhat.com/4.2/i386/gpm-1.19.1-0.4.2.i386.rpm sparc: ftp://updates.redhat.com/4.2/sparc/gpm-1.19.1-0.4.2.sparc.rpm sources: ftp://updates.redhat.com/4.2/SRPMS/gpm-1.19.1-0.4.2.src.rpm Red Hat Linux 5.2: intel: ftp://updates.redhat.com/5.2/i386/gpm-1.19.1-0.5.2.i386.rpm alpha: ftp://updates.redhat.com/5.2/alpha/gpm-1.19.1-0.5.2.alpha.rpm sparc: ftp://updates.redhat.com/5.2/sparc/gpm-1.19.1-0.5.2.sparc.rpm sources: ftp://updates.redhat.com/5.2/SRPMS/gpm-1.19.1-0.5.2.src.rpm Red Hat Linux 6.0, 6.1, 6.2: alpha: ftp://updates.redhat.com/6.2/alpha/gpm-1.19.1-1.alpha.rpm intel: ftp://updates.redhat.com/6.2/i386/gpm-1.19.1-1.i386.rpm sparc: ftp://updates.redhat.com/6.2/sparc/gpm-1.19.1-1.sparc.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.1-1.src.rpm 9. Verification: MD5 sum Package Name - - -------------------------------------------------------------------------- b8278a5d0a867a2fd8e6ac4a927627cb 4.2/alpha/gpm-1.19.1-0.4.2.alpha.rpm c5075756a0f74c36a94c78ccda496412 4.2/sparc/gpm-1.19.1-0.4.2.sparc.rpm b3d87c92880a9bf80d0fd3ff944e907b 4.2/SRPMS/gpm-1.19.1-0.4.2.src.rpm 7112c804fd008e137f8d6551460c10d7 4.2/i386/gpm-1.19.1-0.4.2.i386.rpm 79ebec95b2d6e48f60d4e34cfdee6f93 5.2/i386/gpm-1.19.1-0.5.2.i386.rpm c4cdced5149e773733458c234ede2ac7 5.2/SRPMS/gpm-1.19.1-0.5.2.src.rpm 330e555a09e7b5c85187d348dbf453e6 5.2/alpha/gpm-1.19.1-0.5.2.alpha.rpm 5ceda554f2549c100a88d6370e45e2f6 5.2/sparc/gpm-1.19.1-0.5.2.sparc.rpm 867c4316ec0645fd8e51b674646ef44d 6.2/alpha/gpm-1.19.1-1.alpha.rpm fbeb89d319776e7eb3af1db15679e93f 6.2/sparc/gpm-1.19.1-1.sparc.rpm 86a800ce94206877edc4f6e88272deee 6.2/i386/gpm-1.19.1-1.i386.rpm 8dedce47f4e6aa7bbfb36d9630561cd4 6.2/SRPMS/gpm-1.19.1-1.src.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 10. References: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com Thanks also go to Egmont Koblinger and the members of the Bugtraq list. Cristian - - -- - - ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "How could this be a problem in a country where we have Intel and Microsoft?" --Al Gore on Y2K - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOPSTkfGvxKXU9NkBAQFT2wP/Q1CA/zlLy3sii398LoOgW3KCnQNVlSC4 A1QwJXAzLTKTkifgnkKcxMJ1oQ8Xym7LvvsqIUKICrATeL4zEpBVyls/xx/sDp6x LaMf03yP0ihWnpkKL7/1xqiQ3bq8fAA1FnbpQUvzFZ2uJ+RobiDLQ97G58nLPIn6 MY8sVj6zCks= =Lh1D - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOXXR4Sh9+71yA2DNAQFMVQP/S2K4HacfiMZ+SigukfYjT/ZVmoCMzw/3 Rnpjl2afYK+EYAM8/yU6ePmkc72Jc499ewUuAKrLuucEyj3oMBWbt8+2M9fPrnMc hgxsv8h/U1T6uBOuY+9N5lIINCqlfxQZzM4QP/khiGwD18hxdeuMoOubE4+5FkAy fAvXHC/qFRg= =qT9L -----END PGP SIGNATURE-----