Helix Code Security Advisory - go-gnome pre-installer
Aug 30, 2000, 20:10 (0 Talkback[s])
Date: Tue, 29 Aug 2000 18:08:50 -0400
From: "Helix Code, Inc." firstname.lastname@example.org
Subject: Helix Code Security Advisory - go-gnome pre-installer
HELIX CODE, INC. SECURITY ADVISORY
email@example.com Issue Date: 29 Aug 2000
"go-gnome" Helix GNOME pre-installer
A vulnerability in the go-gnome pre-installer allows non-root users
to exploit world-writable permissions in /tmp, permitting files
normally only accessible by root to be overwritten.
The go-gnome pre-installer uses a few rather predictable filenames
in /tmp for uudecode, snarf, and the installer files. If one (or
more) of those files already exist with a symbolic link created by
a malicious user, the files pointed to by those links will be
The go-gnome pre-installer has been updated on the main Helix Code
mirror and go-gnome.com. This new version fixes this vulnerability
by storing files in /var/cache/helix-install, which is writable
only by root.
A new version of the go-gnome pre-installer is available
immediately from Helix Code, Inc. at go-gnome.com:
Copyright (c) 2000 Helix Code, Inc.