TUCoPS :: Linux :: Debian :: dsa-307.htm
gps - multiple vulnerabilities

Debian Security Advisory

DSA-307-1 gps -- multiple vulnerabilities

Date Reported:

27 May 2003

Affected Packages:

gps

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CAN-2003-0361, CAN-2003-0360, CAN-2003-0362.

More information:

gPS is a graphical application to watch system processes. In release 1.1.0 of the gps package, several security vulnerabilities were fixed, as detailed in the changelog:

bug fix on rgpsp connection source acceptation policy (it was allowing any host to connect even when the /etc/rgpsp.conf file told otherwise) It is working now, but on any real ("production") network I suggest you use IP filtering to enforce the policy (like ipchains or iptables)
Several possibilities of buffer overflows have been fixed. Thanks to Stanislav Ievlev from ALT-Linux for pointing a lot of them.
fixed misformatting of command line parameters in rgpsp protocol (command lines with newlines would break the protocol)
fixed buffer overflow bug that caused rgpsp to SIGSEGV when stating processes with large command lines (>128 chars) [Linux only]

All of these problems affect Debian's gps package version 0.9.4-1 in Debian woody. Debian potato also contains a gps package (version 0.4.1-2), but it is not affected by these problems, as the relevant functionality is not implemented in that version.

For the stable distribution (woody) these problems have been fixed in version 0.9.4-1woody1.

The old stable distribution (potato) is not affected by these problems.

For the unstable distribution (sid) these problems are fixed in version 1.1.0-1.

We recommend that you update your gps package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1.dsc; http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1.diff.gz; http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_alpha.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_arm.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_i386.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_ia64.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_hppa.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_m68k.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_mips.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_mipsel.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_powerpc.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_s390.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/g/gps/gps_0.9.4-1woody1_sparc.deb; http://security.debian.org/pool/updates/main/g/gps/rgpsp_0.9.4-1woody1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.