Debian Security Advisory

DSA-307-1 gps -- multiple vulnerabilities

Date Reported:
27 May 2003
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 7736.
In Mitre's CVE dictionary: CVE-2003-0361, CVE-2003-0360, CVE-2003-0362.
More information:

gPS is a graphical application to watch system processes. In release 1.1.0 of the gps package, several security vulnerabilities were fixed, as detailed in the changelog:

  • bug fix on rgpsp connection source acceptation policy (it was allowing any host to connect even when the /etc/rgpsp.conf file told otherwise). It is working now, but on any real ("production") network I suggest you use IP filtering to enforce the policy (like ipchains or iptables).
  • Several possibilities of buffer overflows have been fixed. Thanks to Stanislav Ievlev from ALT-Linux for pointing a lot of them.
  • fixed misformatting of command line parameters in rgpsp protocol (command lines with newlines would break the protocol).
  • fixed buffer overflow bug that caused rgpsp to SIGSEGV when stating processes with large command lines (>128 chars) [Linux only].

All of these problems affect Debian's gps package version 0.9.4-1 in Debian woody. Debian potato also contains a gps package (version 0.4.1-2), but it is not affected by these problems, as the relevant functionality is not implemented in that version.

For the stable distribution (woody) these problems have been fixed in version 0.9.4-1woody1.

The old stable distribution (potato) is not affected by these problems.

For the unstable distribution (sid) these problems are fixed in version 1.1.0-1.

We recommend that you update your gps package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.