Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Debian :: dsa-307.htm

gps - multiple vulnerabilities



Debian Security Advisory

DSA-307-1 gps -- multiple vulnerabilities

Date Reported:
27 May 2003
Affected Packages:
gps
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CAN-2003-0361, CAN-2003-0360, CAN-2003-0362.
More information:

gPS is a graphical application to watch system processes. In release 1.1.0 of the gps package, several security vulnerabilities were fixed, as detailed in the changelog:

  • bug fix on rgpsp connection source acceptation policy (it was allowing any host to connect even when the /etc/rgpsp.conf file told otherwise) It is working now, but on any real ("production") network I suggest you use IP filtering to enforce the policy (like ipchains or iptables)
  • Several possibilities of buffer overflows have been fixed. Thanks to Stanislav Ievlev from ALT-Linux for pointing a lot of them.
  • fixed misformatting of command line parameters in rgpsp protocol (command lines with newlines would break the protocol)
  • fixed buffer overflow bug that caused rgpsp to SIGSEGV when stating processes with large command lines (>128 chars) [Linux only]

All of these problems affect Debian's gps package version 0.9.4-1 in Debian woody. Debian potato also contains a gps package (version 0.4.1-2), but it is not affected by these problems, as the relevant functionality is not implemented in that version.

For the stable distribution (woody) these problems have been fixed in version 0.9.4-1woody1.

The old stable distribution (potato) is not affected by these problems.

For the unstable distribution (sid) these problems are fixed in version 1.1.0-1.

We recommend that you update your gps package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1.dsc
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1.diff.gz
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_alpha.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_arm.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_i386.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_ia64.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_hppa.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_m68k.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_mips.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_mipsel.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_powerpc.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_s390.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_sparc.deb
http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH