Bugtraq mailing list archives
Re: gpm-root
From: rubini () LINUX IT (Alessandro Rubini)
Date: Thu, 23 Mar 2000 21:40:54 +0100
Hello Egmont.
I've sent report about the following security hole to the authors of gpm, but they seemed to ignore the problem.
That's me, mainly. Unfortunately, I don't have any track of your message about gpm-root.
gpm-root is a beautiful tool shipped in the gpm package.
Not really that beautiful. It was just meant to be a demo, in the hope someone will develop a real root-window tool. Anyways, it's distributed, so I care(d) about its bugs.
gpm-root calls setuid() first and setgid() afterwards, hence the later one is unsuccessful. The authors completely forgot about calling initgroups().
Thanks for your report, I'll fix it for 1.19.1, which I plan to release in a few days. Since gpm is officially unmaintained, gpm-1.19.1 will be the last one, hopefully, but I already had it on schedule. I want to thank Servio Medina for forwarding your message, as I unsubscribed from bugtraq not long ago, due to excessive email load. /alessandro
Current thread:
- Re: Napster, Inc. response to Colten Edwards, (continued)
- Re: Napster, Inc. response to Colten Edwards Danny Crawford (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Dylan Griffiths (Mar 30)
- Alert: MS Index Server (CISADV000330) Cerberus Security Team (Mar 30)
- Webstar 4.0 Buffer overflow vulnerability Ilhom Djalilov (Mar 31)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Mar 31)
- [ Cobalt ] Security Advisory -- 03.31.2000 Jeff Lovell (Mar 31)
- SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application Todd Beebe (Mar 31)
- Windmail allow web user get any file Frankie Zie (Mar 25)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 26)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 31)
- Re: gpm-root Alessandro Rubini (Mar 23)