J-Pilot is a desktop organizer application for the palm pilot that runs under Linux and Unix using X-Windows and GTK+. J-Pilot sets weak permissions on the user's directory where all the Palm Pilot's synchronized information is stored. This enables local users to easily view all the information stored on a J-Pilot user's Palm device.
Vulnerable systems:
Linux Mandrake 7.2
(NOTE: The package itself contains the vulnerability, it is recommended that you download the latest version of the product from the author's web site)
Immune systems:
The J-Pilot program automatically creates a directory called .jpilot/ in the user's home directory with 777 (world read/write/execute) permissions. This directory is used to store all backups, configuration and synchronized Palm Pilot information.
Solution:
Mandrake has updated J-Pilot packages that solve this problem.
Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for Linux-Mandrake 7.2, look for it in "updates/7.2/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them.
