GnoRPM Arbitrary File Overwrite Vulnerability

BID:1761

Info

GnoRPM Arbitrary File Overwrite Vulnerability

Bugtraq ID: 1761
Class: Origin Validation Error
CVE:
Remote: No
Local: Yes
Published: Oct 02 2000 12:00AM
Updated: Oct 02 2000 12:00AM
Credit: This vulnerability was originally reported to bugtraq by Alan Cox <[email protected]> on Mon, 2 Oct 2000.
Vulnerable: GNOME GnoRPM 0.94
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.3
- Caldera OpenLinux 2.2
- Caldera OpenLinux 1.2
- Caldera OpenLinux 1.1
- Caldera OpenLinux 1.0
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ Redhat Linux 7.0
+ Redhat Linux 6.0 x
 + Redhat Linux 5.0
Not Vulnerable: GNOME GnoRPM 0.95
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.3
- Caldera OpenLinux 2.2
- Caldera OpenLinux 1.3
- Caldera OpenLinux 1.2
- Caldera OpenLinux 1.1
- Caldera OpenLinux 1.0
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ Redhat Linux 7.0
+ Redhat Linux 6.0 x
 + Redhat Linux 5.x
 + Redhat Linux 4.x

Discussion

GnoRPM Arbitrary File Overwrite Vulnerability

A vulnerability exists in versions prior to v0.95 of GnoRPM, the Gnome graphical RPM manager, involving the way gnomerpm handles tmp files. GnomeRPM creates temporary files in the world-writeable /tmp directory with preditable filenames. It is possible for a malicious user to create symbolic links in /tmp with guessed/predicted filenames, knowing in advance that GnomeRPM will be run by root. When this happens, the files pointed to by the correctly guessed symbolic links will be overwritten by GnomeRPM (as root).

This can lead to a local denial of service if critical files are overwritten.

Exploit / POC

Solution / Fix

GnoRPM Arbitrary File Overwrite Vulnerability

Solution:
A new release of GnoRPM (0.95.1) is available now. Versions of GnoRPM prior to 0.95 are believed to be vulnerable.

ftp.linux.org.uk:/pub/linux/alan/GNORPM/gnorpm-0.95.1.tar.gz
ftp.gnome.org:/pub/GNOME/stable/sources/gnorpm/gnorpm-0.95.1.tar.gz (soon)

MD5Sum: 80521433f88fa09899e9105a24c69ef9 gnorpm-0.95.1.tar.gz

MandrakeSoft has released software upgrades to patch this vulnerability.

S.u.S.E. Linux:

i386 Intel Platform:

SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/gnm3/gnorpm-0.95-3.i386.rpm
6aa5ea031f48d903bf3fb4e2328fc4c7
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/gnorpm-0.95-3.src.rpm
a6df0b51a50b0f82a1d0e77d46587d82

SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/gnm3/gnorpm-0.95-3.i386.rpm
2f47a772c634c35d989078287668e67d
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/gnorpm-0.95-3.src.rpm
04a7c41f0537ef513495efc49c105b1b

Sparc Platform:

SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/gnm3/gnorpm-0.9-159.sparc.rpm
467a2839f7df52c31eb42b97ebb8dd0d
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/gnorpm-0.9-159.src.rpm
eb09af61e93eab32a55c6538d0b45bc4

AXP Alpha Platform:

SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/gnm3/gnorpm-0.95-4.alpha.rpm
b99a121e1469f958413b26eef1fd7ce9
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/gnorpm-0.95-4.src.rpm
a65ba20f86d5d0693ecc3e77520ff584

PPC Power PC Platform:

SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/gnm3/gnorpm-0.95-3.ppc.rpm
9ad07eb2c2c437ed427d8ec5cb2b8439
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/gnorpm-0.95-3.src.rpm
ffdb55e153b7e07cad91830eafb088b9


GNOME GnoRPM 0.94

References

GnoRPM Arbitrary File Overwrite Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report