Operating System:

Published:

16 April 2000

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                      ESB-2000.067 -- RHSA-2000:009-02
                         New gpm packages available
                                17 April 2000

===========================================================================

Red Hat, Inc. has released the following advisory concerning a 
vulnerability in the gpm-root program shipped with Red Hat Linux on several 
architectures. The gpm-root (part of the gpm packge) fails to drop gid 0 
privileges when executing user commands.  This vulnerability may allow 
local console users to gain privileged access.


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


- - ---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          gpm
Advisory ID:       RHSA-2000:009-02
Issue date:        2000-04-07
Updated on:        2000-04-10
Product:           Red Hat Linux
Keywords:          gpm gpm-root gid 0 priviledge
Cross references:  N/A
- - ---------------------------------------------------------------------

1. Topic:

gpm-root (part of the gpm packge) fails to drop gid 0 priviledges
when executing user commands.

2. Relevant releases/architectures:

Red Hat Linux 4.2 - alpha i386 sparc
Red Hat Linux 5.2 - i386 alpha sparc
Red Hat Linux 6.0 - alpha i386 sparc
Red Hat Linux 6.1 - i386 alpha sparc
Red Hat Linux 6.2 - alpha i386 sparc


3. Problem description:

gpm is a cut and paste utility and mouse server for virtual
consoles. As part of this package, the gpm-root program allows
people to define menus and actions for display when clicking on
the background of current tty.

The current gpm-root program fails to correctly give up the group
id 0 membership for user defined menus. If you are running
gpm-root on your system then you are at risk.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

10340 - Exploit in gpm-root. 
10644 - gpm security problem in gpm-root


6. Obsoleted by:

N/A

7. Conflicts with:

N/A

8. RPMs required:


Red Hat Linux 4.2:

alpha:
ftp://updates.redhat.com/4.2/alpha/gpm-1.19.1-0.4.2.alpha.rpm

intel:
ftp://updates.redhat.com/4.2/i386/gpm-1.19.1-0.4.2.i386.rpm

sparc:
ftp://updates.redhat.com/4.2/sparc/gpm-1.19.1-0.4.2.sparc.rpm

sources:
ftp://updates.redhat.com/4.2/SRPMS/gpm-1.19.1-0.4.2.src.rpm

Red Hat Linux 5.2:

intel:
ftp://updates.redhat.com/5.2/i386/gpm-1.19.1-0.5.2.i386.rpm

alpha:
ftp://updates.redhat.com/5.2/alpha/gpm-1.19.1-0.5.2.alpha.rpm

sparc:
ftp://updates.redhat.com/5.2/sparc/gpm-1.19.1-0.5.2.sparc.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/gpm-1.19.1-0.5.2.src.rpm

Red Hat Linux 6.0, 6.1, 6.2:

alpha:
ftp://updates.redhat.com/6.2/alpha/gpm-1.19.1-1.alpha.rpm

intel:
ftp://updates.redhat.com/6.2/i386/gpm-1.19.1-1.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/gpm-1.19.1-1.sparc.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.1-1.src.rpm


9. Verification:

MD5 sum                           Package Name
- - --------------------------------------------------------------------------
b8278a5d0a867a2fd8e6ac4a927627cb  4.2/alpha/gpm-1.19.1-0.4.2.alpha.rpm
c5075756a0f74c36a94c78ccda496412  4.2/sparc/gpm-1.19.1-0.4.2.sparc.rpm
b3d87c92880a9bf80d0fd3ff944e907b  4.2/SRPMS/gpm-1.19.1-0.4.2.src.rpm
7112c804fd008e137f8d6551460c10d7  4.2/i386/gpm-1.19.1-0.4.2.i386.rpm
79ebec95b2d6e48f60d4e34cfdee6f93  5.2/i386/gpm-1.19.1-0.5.2.i386.rpm
c4cdced5149e773733458c234ede2ac7  5.2/SRPMS/gpm-1.19.1-0.5.2.src.rpm
330e555a09e7b5c85187d348dbf453e6  5.2/alpha/gpm-1.19.1-0.5.2.alpha.rpm
5ceda554f2549c100a88d6370e45e2f6  5.2/sparc/gpm-1.19.1-0.5.2.sparc.rpm
867c4316ec0645fd8e51b674646ef44d  6.2/alpha/gpm-1.19.1-1.alpha.rpm
fbeb89d319776e7eb3af1db15679e93f  6.2/sparc/gpm-1.19.1-1.sparc.rpm
86a800ce94206877edc4f6e88272deee  6.2/i386/gpm-1.19.1-1.i386.rpm
8dedce47f4e6aa7bbfb36d9630561cd4  6.2/SRPMS/gpm-1.19.1-1.src.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

10. References:

http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com

Thanks also go to Egmont Koblinger and the members of the Bugtraq list.

Cristian
- - --
- - ----------------------------------------------------------------------
Cristian Gafton     --     gafton@redhat.com      --     Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  "How could this be a problem in a country where we have Intel and 
   Microsoft?"  --Al Gore on Y2K

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOPSTkfGvxKXU9NkBAQFT2wP/Q1CA/zlLy3sii398LoOgW3KCnQNVlSC4
A1QwJXAzLTKTkifgnkKcxMJ1oQ8Xym7LvvsqIUKICrATeL4zEpBVyls/xx/sDp6x
LaMf03yP0ihWnpkKL7/1xqiQ3bq8fAA1FnbpQUvzFZ2uJ+RobiDLQ97G58nLPIn6
MY8sVj6zCks=
=Lh1D
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOXXR4Sh9+71yA2DNAQFMVQP/S2K4HacfiMZ+SigukfYjT/ZVmoCMzw/3
Rnpjl2afYK+EYAM8/yU6ePmkc72Jc499ewUuAKrLuucEyj3oMBWbt8+2M9fPrnMc
hgxsv8h/U1T6uBOuY+9N5lIINCqlfxQZzM4QP/khiGwD18hxdeuMoOubE4+5FkAy
fAvXHC/qFRg=
=qT9L
-----END PGP SIGNATURE-----