Gnome Installer System Config-file Overwrite Vulnerability

GNOME is a graphical user interface for X11 created by Helix Code. The installer, on Caldera eDesktop and S.u.S.E. linux systems use /tmp in an unsafe manner. It creates a directory in /tmp and stores temporary copies of system configuration files (/etc/config.d/bashrc, /etc/config.d/csh.cshrc, and /etc/rc.d/rc.gui files on Caldera OpenLinux eDesktop 2.4 and /etc/rc.config on SuSE 6.3 and 6.4) there before writing them to their proper locations. If a malicious user has knowledge that the administrator is going to be executing gnome-installer, he/she can cause the installer to write blank configuration files to the system (by making the directory before gnome installer does). This will result in the system losing part of its configuration.


Privacy Statement
Copyright 2010, SecurityFocus