[14637] in bugtraq
gpm-root initgroups()
daemon@ATHENA.MIT.EDU (Koblinger Egmont)
Mon Apr 24 14:19:33 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0004232126270.3212-100000@csibe.fazekas.hu>
Date: Sun, 23 Apr 2000 21:31:20 +0200
Reply-To: Koblinger Egmont <egmont@FAZEKAS.HU>
From: Koblinger Egmont <egmont@FAZEKAS.HU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello!
As reported before, the "gpm-root" daemon in gpm-1.19.0 and earlier lets
the user execute any command with uid=0. gpm-1.19.1 fixed half of the
security hole by calling setuid() and setgid() at the right place but not
calling initgruops().
gpm-1.19.2 is out there, which calls initgroups() correctly, fully
fixing this security hole. Therefore anyone running gpm-root is highly
recommended to upgrade to gpm-1.19.2 or apply its setuid(), setgid() and
initgruops() releated patches.
Best regards
Egmont Koblinger
