Yellow Dog Linux Security Announcement
--------------------------------------

Package:	gpm
Issue Date: 	July 31, 2000
Update Date: 	July 31, 2000
Priority: 	high
Advisory ID: 	YDU-20000731-1


1. Topic:

   The gpm program shipped with a security problem.
   A denial-of-service attact via /dev/gpmctl is also
   possible.


2. Problem:

   Two problems exist in gpm, the program used to enable mouse
   control on the console when not using X Windows:

   1) gpm did not perform adequate checking of setgid return values
      in the gpm-root helper program. This resulted in an avenue of
      attack where local users could execute arbitrary commands with
      elevated group priviledges.

   2) /dev/gpmctl was writable by users who were not on the console.
      A user could flood the socket causing a local denial of service
      attack


3. Solution:

   a) Updating via yup...
   We suggest that you use the Yellow Dog Update Program (yup)
   to keep your system up-to-date. The following command will
   automatically retrieve and install the fixed version of
   the gpm onto your system:

   	yup update gpm

   b) Updating manually...
   The update can also be retrieved manually from our ftp site
   below along with the rpm command that should be used to install
   the update.

   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
   gpm-1.19.1-1.ppc.rpm

        rpm -Fvh gpm-1.19.1-1.ppc.rpm


4. Verification

MD5 checksum				Package
--------------------------------	----------------------------
02ad47b4148453760b42bd1e1c8be4b2  	RPMS/gpm-1.19.1-1.ppc.rpm
93cd38f5019900eddc4cfec11cb22dc6  	RPMS/gpm-devel-1.19.1-1.ppc.rpm
8dad11627d451bcf699bf05b49570b11  	SRPMS/gpm-1.19.1-1.src.rpm


If you only wish to verify that each package has not been corrupted or tampered with,
examine only the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml