--------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: gpm security flaws have been addressed Advisory ID: RHSA-2000:045-01 Issue date: 2000-07-26 Updated on: 2000-07-26 Product: Red Hat Linux Keywords: gpm, denial of service, /dev/gpmctl, gpm-root, setgid Cross references: RHSA-2000:044 --------------------------------------------------------------------- 1. Topic: gpm as shipped in Red Hat Linux 5.2 and 6.x contains a number of security problems. Additionally, a denial of service attack via /dev/gpmctl is possible. 2. Relevant releases/architectures: Red Hat Linux 5.2 - i386, alpha, sparc Red Hat Linux 6.0 - i386, alpha, sparc Red Hat Linux 6.1 - i386, alpha, sparc Red Hat Linux 6.2 - i386, alpha, sparc 3. Problem description: Two problems exist in gpm, the program used to enable mouse control on the console when not using X Windows: 1. gpm did not perform adequate checking of setgid return values in the gpm-root helper program. This resulted in an avenue of attack where local users could execute arbitrary commands with elevated group priviledges. 2. /dev/gpmctl was writable by users who were not on the console. A user could perform a local denial of service attack by flooding the socket. The security issue has been addressed on 5.2 and 6.x. For 6.x, the /dev/gpmctl ownership issue was addressed via the pam_console helper mechanism. This pam module makes devices which need to be accessible via console users owned by them and no one else. See RHSA-2000:044 for more information on this update. On 5.2, there is no control of console devices available via pam, so we have disabled access to /dev/gpmctl by default. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. For 6.x systems, you must upgrade your pam to the version discussed in RHSA-2000:044 to achieve protection from the denial of service attack. For Red Hat Linux 5.2, if you use gpm's "repeater" functionality for X Windows, you will need to reenable access to group/other users of /dev/gpmctl with the chown command. Red Hat Linux does not make use of this functionality by default, and we do not recommend taking this action for the reasons explained above. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 11607 - Newest gpm RPM package will not install 6. RPMs required: Red Hat Linux 5.2: sparc: ftp://updates.redhat.com/5.2/sparc/gpm-1.19.3-0.5.x.sparc.rpm alpha: ftp://updates.redhat.com/5.2/alpha/gpm-1.19.3-0.5.x.alpha.rpm i386: ftp://updates.redhat.com/5.2/i386/gpm-1.19.3-0.5.x.i386.rpm sources: ftp://updates.redhat.com/5.2/SRPMS/gpm-1.19.3-0.5.x.src.rpm Red Hat Linux 6.2: sparc: ftp://updates.redhat.com/6.2/sparc/gpm-1.19.3-0.6.x.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/gpm-1.19.3-0.6.x.i386.rpm alpha: ftp://updates.redhat.com/6.2/alpha/gpm-1.19.3-0.6.x.alpha.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.3-0.6.x.src.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 7e14aa2b98ababfe815b292ff8439b50 5.2/SRPMS/gpm-1.19.3-0.5.x.src.rpm 668c1dd35c9e28cd54c34aed0126afe9 5.2/alpha/gpm-1.19.3-0.5.x.alpha.rpm 6e5ae7e9d4f552978d4821fe5e06e27b 5.2/i386/gpm-1.19.3-0.5.x.i386.rpm 13be2dda7373cbb90567b11dca1e8a76 5.2/sparc/gpm-1.19.3-0.5.x.sparc.rpm 8205248615a5e249e3612753ec7d7c08 6.2/SRPMS/gpm-1.19.3-0.6.x.src.rpm 1750a3ba1ff2094e9e77bcaac8ece826 6.2/alpha/gpm-1.19.3-0.6.x.alpha.rpm 0dd38c9d324a9e82ab8aceb75394a94e 6.2/i386/gpm-1.19.3-0.6.x.i386.rpm 274dfea2fffb8dc6785686409ba3f37a 6.2/sparc/gpm-1.19.3-0.6.x.sparc.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=Pine.LNX.4.21.0003231428110.13143-100000@csibe.faz ekas.hu http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=Pine.LNX.4.10.10006201453090.1812-200000@apollo.ac i.com.pl Copyright(c) 2000 Red Hat, Inc.