Linux Today: Linux News On Internet Time.

More on LinuxToday

Helix Code Security Advisory - go-gnome pre-installer

Aug 30, 2000, 20:10 (0 Talkback[s])

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

Date: Tue, 29 Aug 2000 18:08:50 -0400
From: "Helix Code, Inc."
Subject: Helix Code Security Advisory - go-gnome pre-installer

HELIX CODE, INC.                                             SECURITY ADVISORY                                 Issue Date: 29 Aug 2000
"go-gnome" Helix GNOME pre-installer

A vulnerability in the go-gnome pre-installer allows non-root users to exploit world-writable permissions in /tmp, permitting files normally only accessible by root to be overwritten.

The go-gnome pre-installer uses a few rather predictable filenames in /tmp for uudecode, snarf, and the installer files. If one (or more) of those files already exist with a symbolic link created by a malicious user, the files pointed to by those links will be clobbered.

The go-gnome pre-installer has been updated on the main Helix Code mirror and This new version fixes this vulnerability by storing files in /var/cache/helix-install, which is writable only by root.

A new version of the go-gnome pre-installer is available immediately from Helix Code, Inc. at

94e5849dd659642bc58d768d12c3c26d go-gnome

Copyright (c) 2000 Helix Code, Inc.