Bugtraq mailing list archives
Helix Code Security Advisory - go-gnome pre-installer
From: "Helix Code, Inc." <security () helixcode com>
Date: Tue, 29 Aug 2000 18:08:50 -0400
HELIX CODE, INC. SECURITY ADVISORY security () helixcode com Issue Date: 29 Aug 2000 PACKAGES AFFECTED: "go-gnome" Helix GNOME pre-installer SYNOPSIS: A vulnerability in the go-gnome pre-installer allows non-root users to exploit world-writable permissions in /tmp, permitting files normally only accessible by root to be overwritten. DESCRIPTION: The go-gnome pre-installer uses a few rather predictable filenames in /tmp for uudecode, snarf, and the installer files. If one (or more) of those files already exist with a symbolic link created by a malicious user, the files pointed to by those links will be clobbered. SOLUTION: The go-gnome pre-installer has been updated on the main Helix Code mirror and go-gnome.com. This new version fixes this vulnerability by storing files in /var/cache/helix-install, which is writable only by root. AVAILABILITY: A new version of the go-gnome pre-installer is available immediately from Helix Code, Inc. at go-gnome.com: http://go-gnome.com VERIFICATION: 94e5849dd659642bc58d768d12c3c26d go-gnome Copyright (c) 2000 Helix Code, Inc.
Current thread:
- Helix Code Security Advisory - go-gnome pre-installer Helix Code, Inc. (Aug 30)
- Re: Helix Code Security Advisory - go-gnome pre-installer Peter W (Aug 31)
- Using Squid to disable (or exploit) Helix Code's lynx trick Peter W (Aug 31)