Vulnerability Note VU#25701

Linux gpm daemon allows arbitrary file removal

Original Release date: 25 May 2001 | Last revised: 13 Sep 2002

Overview

gpm version 1.19.2 and earlier are vulnerable due to a flaw that allows a local user to delete arbitrary files.

Description

gpm (General Purpose Mouse) is the program that lets you use the mouse in console mode when not using XWindows. It is usually included in Linux distributions, and can be started from the command line or in the startup script /etc/rc.d/rc.local. A vulnerability in gpm version 1.19.2 and earlier allows local users to delete arbitrary files.

Impact

A user with console access can use this vulnerability to delete any file of his choosing.

Solution

Upgrade to gpm version 1.19.3 or later.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected20 Jul 200013 Sep 2002
ConectivaAffected-25 May 2001
MandrakeSoftAffected-25 May 2001
Red Hat Inc.Unknown-25 May 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Andy Moore.

Other Information

  • CVE IDs: CAN-2000-0667
  • Date Public: 27 Jul 2000
  • Date First Published: 25 May 2001
  • Date Last Updated: 13 Sep 2002
  • Severity Metric: 3.04
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.