Vulnerability Note VU#426456
gpm creates temporary files insecurely
gpm version 1.19.3, which usually runs as root, is vulnerable due to a flaw that allows a local user to exploit a race condition to corrupt files that gpm uses.
gpm (General Purpose Mouse) is a program that lets you use the mouse in console mode when not using XWindows. It is usually included in Linux distributions, and can be started from the command line or in the startup script /etc/rc.d/rc.local. A vulnerability in gpm version 1.19.3 allows a local user to exploit a race condition to corrupt files that gpm uses. The flaw exists because gpm creates files in the /tmp directory using predictable filenames without checking whether a file with that name already exists. Malicious local users can therefore create a symbolic link to a file that will be used by gpm. When gpm is run, the creation of the file fails (since it already exists) and gpm uses the symbolically linked file for its processing. The malicious user can then overwrite or append to the file as it is being used by the privileged gpm program.
Malicious users can destroy the integrity of or deny access to files processed by gpm, which usually runs as root.
Upgrade affected Linux distributions.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Immunix||Affected||10 Jan 2001||01 Jun 2001|
|MandrakeSoft||Affected||12 Jan 2001||01 Jun 2001|
|RedHat||Affected||10 Jan 2001||01 Jun 2001|
CVSS Metrics (Learn More)
Thanks to Greg Kroah-Hartman of WireX for discovering this vulnerability. Thanks also to BugTraq for a good description of the underlying problem.
This document was written by Andy Moore.
- CVE IDs: CVE-2001-0116
- Date Public: 10 Jan 2001
- Date First Published: 08 Jun 2001
- Date Last Updated: 22 Jun 2001
- Severity Metric: 2.66
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.