COMMAND

    FVWM (1.24)

SYSTEMS AFFECTED

    Old version  of Red  Hat and  Slackware 3.0  and Slackware derived
    systems

PROBLEM

    There is  a race  condition in  FVWM 1.24  that can  be exploited.
    Users may  be able  to execute  commands as  other users.  If root
    uses FVWM, then execute commands as root.

SOLUTION

    The Quick fix should be:
        ./tmp  directory   should  be   owned  by   (root:root)   with
        world-write,  world-execute  and  world-read  permissions.   A
        sticky bit is required on  this directory.  Use the  following
        set of commands  to change your  /tmp directory parameters  to
        conform with the requirements:

        chown root.root /tmp    (make ownership (root:root))
        chmod 777 /tmp          (make protection mode 777)
        chmod +t /tmp           (place a sticky bit on)

    or disable the use of FVWM.  Anyway, it is recommanded to  upgrade
    FVWM to the latest version.