gpm creates temporary files insecurely

Overview

gpm version 1.19.3, which usually runs as root, is vulnerable due to a flaw that allows a local user to exploit a race condition to corrupt files that gpm uses.

Description

gpm (General Purpose Mouse) is a program that lets you use the mouse in console mode when not using XWindows. It is usually included in Linux distributions, and can be started from the command line or in the startup script /etc/rc.d/rc.local. A vulnerability in gpm version 1.19.3 allows a local user to exploit a race condition to corrupt files that gpm uses. The flaw exists because gpm creates files in the /tmp directory using predictable filenames without checking whether a file with that name already exists. Malicious local users can therefore create a symbolic link to a file that will be used by gpm. When gpm is run, the creation of the file fails (since it already exists) and gpm uses the symbolically linked file for its processing. The malicious user can then overwrite or append to the file as it is being used by the privileged gpm program.

---

Impact

Malicious users can destroy the integrity of or deny access to files processed by gpm, which usually runs as root.

---

Solution

Upgrade affected Linux distributions.

---

Vendor Information

426456

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Immunix __ Affected

Notified: January 10, 2001 Updated: June 01, 2001

Status

Affected

Vendor Statement

Immunix reports on their vulnerability to this flaw at <http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2000-70-016-01&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23426456 Feedback>).

MandrakeSoft __ Affected

Notified: January 12, 2001 Updated: June 01, 2001

Status

Affected

Vendor Statement

MandrakeSoft reports on their vulnerability to this flaw at <http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-006.php3?dis=6&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23426456 Feedback>).

RedHat __ Affected

Notified: January 10, 2001 Updated: June 01, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix reported that their vulnerability to this flaw was inherited from Red Hat Linux, since they build from that base. Therefore, Red Hat Linux 7.0 is vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23426456 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/2188&gt;
• <http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2000-70-016-01&gt;
• <http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html&gt;
• <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0116&gt;
• <http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-006.php3?dis=6&gt;

Acknowledgements

Thanks to Greg Kroah-Hartman of WireX for discovering this vulnerability. Thanks also to BugTraq for a good description of the underlying problem.

This document was written by Andy Moore.

Other Information

CVE IDs:	CVE-2001-0116
Severity Metric:	2.66 Date Public: