Hello! As reported before, the "gpm-root" daemon in gpm-1.19.0 and earlier lets the user execute any command with uid=0. gpm-1.19.1 fixed half of the security hole by calling setuid() and setgid() at the right place but not calling initgruops(). gpm-1.19.2 is out there, which calls initgroups() correctly, fully fixing this security hole. Therefore anyone running gpm-root is highly recommended to upgrade to gpm-1.19.2 or apply its setuid(), setgid() and initgruops() releated patches. Best regards Egmont Koblinger
