Debian Bug report logs - #508597
gpsdriver: allows local users to overwrite arbitrary files via a symlink attack

version graph

Package: gpsdrive; Maintainer for gpsdrive is (unknown);

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Fri, 12 Dec 2008 22:30:02 UTC

Severity: important

Tags: fixed-upstream, security

Found in version gpsdrive/2.10~pre4-6.dfsg-1

Fixed in versions gpsdrive/2.10~pre4-6.dfsg-2, gpsdrive/2.10~pre4-6.dfsg-1+lenny1

Done: Andreas Putzo <andreas@putzo.net>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/tracker/index.php?func=detail&aid=2121124&group_id=148048&atid=770280

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>:
Bug#508597; Package gpsdrive. (Fri, 12 Dec 2008 22:30:04 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack
Date: Fri, 12 Dec 2008 16:27:07 -0600
[Message part 1 (text/plain, inline)]
Package: gpsdrive
Version: 2.10~pre4-6.dfsg-1
Tags: security
Severity: important

Hi,

I have found three other attack vectors:

/usr/share/doc/gpsdrive/examples/gpssmswatch:
> FILE=/tmp/.smswatch
> while [ 1 = 1 ]
> do
> gnokii --getsms SM 1 > $FILE
> if [ $? = "0" ];then
> gnokii --deletesms SM 1
> fi
> grep PLSSENDPOS $FILE
> if [ $? = "0" ];then
> echo -e "position request found\n"
> NUMBER=`grep Sender /tmp/.smswatch|awk '{print $2}'`
> killall -USR1 gpsdrive
>
> echo "sending "
> cat /tmp/gpsdrivepos
> echo -e "to number $NUMBER\n"
> gnokii --sendsms $NUMBER < /tmp/gpsdrivepos

src/splash.c
>         f = fopen ("/tmp/gpsdrivepos", "w");
>         if (f == NULL)
>         {
>                 perror ("/tmp/gpsdrivepos");
>                 return;
>         }
>         time (&t);
>         ts = localtime (&t);
>         fprintf (f, asctime (ts));
>         fprintf (f, "POS %f %f\n", coords.current_lat, coords.current_lon);
>         fclose (f);

src/unit_test.c:
> g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test");
> g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test/proc");

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>:
Bug#508597; Package gpsdrive. (Mon, 15 Dec 2008 20:42:02 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Putzo <andreas@putzo.net>:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>. (Mon, 15 Dec 2008 20:42:02 GMT) (full text, mbox, link).


Message #8 received at 508597@bugs.debian.org (full text, mbox, reply):

From: Andreas Putzo <andreas@putzo.net>
To: Raphael Geissert <atomo64@gmail.com>, 508597@bugs.debian.org
Subject: Re: Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack
Date: Mon, 15 Dec 2008 21:37:13 +0100
[Message part 1 (text/plain, inline)]
Hi,

On Dec 12  16:27, Raphael Geissert wrote:
> Package: gpsdrive
> Version: 2.10~pre4-6.dfsg-1
> Tags: security
> Severity: important
> I have found three other attack vectors:
> 
> /usr/share/doc/gpsdrive/examples/gpssmswatch:
> src/splash.c

i think this was used to e.g. dump the current position to 
a file and send a sms to a mobile phone. It requires the user
to send SIGUSR1 to the gpsdrive process which makes this attack vector 
more unlikely to be successful. In my opinion this functionality is
obsolete anyway and should be removed from gpsdrive.
Regarding splash.c there's already a bug in the gpsdrive bug tracker
(set forward accordingly).

> src/unit_test.c:
> > g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test");
> > g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test/proc");

Will look into this.

Cheers, 
Andreas

[signature.asc (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to https://sourceforge.net/tracker/index.php?func=detail&aid=2121124&group_id=148048&atid=770280. Request was from Andreas Putzo <andreas@putzo.net> to control@bugs.debian.org. (Mon, 15 Dec 2008 20:42:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>:
Bug#508597; Package gpsdrive. (Tue, 16 Dec 2008 16:21:02 GMT) (full text, mbox, link).


Acknowledgement sent to Hamish <hamish_b@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>. (Tue, 16 Dec 2008 16:21:02 GMT) (full text, mbox, link).


Message #15 received at 508597@bugs.debian.org (full text, mbox, reply):

From: Hamish <hamish_b@yahoo.com>
To: 508597@bugs.debian.org
Subject: Re: gpsdrive: allows local users to overwrite arbitrary files via a symlink attack
Date: Wed, 17 Dec 2008 05:19:42 +1300
[1,2]
> scripts/gpssmswatch and src/splash.c

rewritten upstream not to use /tmp/gpsdrivepos anymore (now directly polls
position from gpsd), and /tmp/.smswatch is now created with `tempfile`, in
a secure way.
-done-


[3]
> src/unit_test.c  +  /tmp/gpsdrive-unit-test

still needs work.
-open-


Hamish




Tags added: fixed-upstream Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Fri, 16 Jan 2009 21:27:35 GMT) (full text, mbox, link).


Reply sent to Andreas Putzo <andreas@putzo.net>:
You have taken responsibility. (Mon, 19 Jan 2009 22:09:04 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Mon, 19 Jan 2009 22:09:04 GMT) (full text, mbox, link).


Message #22 received at 508597-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Putzo <andreas@putzo.net>
To: 508597-close@bugs.debian.org
Subject: Bug#508597: fixed in gpsdrive 2.10~pre4-6.dfsg-2
Date: Mon, 19 Jan 2009 21:47:08 +0000
Source: gpsdrive
Source-Version: 2.10~pre4-6.dfsg-2

We believe that the bug you reported is fixed in the latest version of
gpsdrive, which is due to be installed in the Debian FTP archive:

gpsdrive-data_2.10~pre4-6.dfsg-2_all.deb
  to pool/main/g/gpsdrive/gpsdrive-data_2.10~pre4-6.dfsg-2_all.deb
gpsdrive-scripts_2.10~pre4-6.dfsg-2_all.deb
  to pool/main/g/gpsdrive/gpsdrive-scripts_2.10~pre4-6.dfsg-2_all.deb
gpsdrive_2.10~pre4-6.dfsg-2.diff.gz
  to pool/main/g/gpsdrive/gpsdrive_2.10~pre4-6.dfsg-2.diff.gz
gpsdrive_2.10~pre4-6.dfsg-2.dsc
  to pool/main/g/gpsdrive/gpsdrive_2.10~pre4-6.dfsg-2.dsc
gpsdrive_2.10~pre4-6.dfsg-2_i386.deb
  to pool/main/g/gpsdrive/gpsdrive_2.10~pre4-6.dfsg-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Putzo <andreas@putzo.net> (supplier of updated gpsdrive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 29 Dec 2008 16:08:22 +0000
Source: gpsdrive
Binary: gpsdrive gpsdrive-data gpsdrive-scripts
Architecture: source i386 all
Version: 2.10~pre4-6.dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Changed-By: Andreas Putzo <andreas@putzo.net>
Description: 
 gpsdrive   - Car navigation system
 gpsdrive-data - Car navigation system
 gpsdrive-scripts - Various scripts for gpsdrive
Closes: 508596 508597
Changes: 
 gpsdrive (2.10~pre4-6.dfsg-2) unstable; urgency=low
 .
   * Remove example script gpssmswatch. Prone to symlink attacks
     and removed upstream.
   * Added 101-signalposreq.dpatch to remove signalposreq() from
     gpsdrive to fix a potential symlink vulnerability. Removed
     unused unlinks of temporary files (Closes: #508597,#508596).
   * Added 102-unittest.dpatch to use mkdtemp in src/unit_test.c to
     fix a symlink vulnerability.
   * Updated patch for geo-code to avoid a potential race condition
     (CVE-2008-5380).
Checksums-Sha1: 
 bbe259716dfd75dd011edf77a485b373e3cb911f 1579 gpsdrive_2.10~pre4-6.dfsg-2.dsc
 2a90ad8bef2f7714d58ccb25e6a605bb26866fca 55332 gpsdrive_2.10~pre4-6.dfsg-2.diff.gz
 e3c77ad451d56e231bdeb230d0a90bca762a9eb6 273176 gpsdrive_2.10~pre4-6.dfsg-2_i386.deb
 ba84ead1c165029934b60cf1bd1b02770f1ec045 2576832 gpsdrive-data_2.10~pre4-6.dfsg-2_all.deb
 b6c8ed24604d67d0696d5f84c51717ae71d247ea 150964 gpsdrive-scripts_2.10~pre4-6.dfsg-2_all.deb
Checksums-Sha256: 
 f783d9f5d360d0d0782acbfde261b5268a89c05ebd6895ce592faa0fc24127f5 1579 gpsdrive_2.10~pre4-6.dfsg-2.dsc
 a37c463dd7321433d5b9a5d6e2b001c644db2d640d65abfa5a3f586e87d59c47 55332 gpsdrive_2.10~pre4-6.dfsg-2.diff.gz
 8f3264f930b0d400a65883029415560bce9e7e308a277dc422e9ce7f306b86db 273176 gpsdrive_2.10~pre4-6.dfsg-2_i386.deb
 b731cf1beb59332f09be6b9b9c983156ec34b03d001007a561207a840223281f 2576832 gpsdrive-data_2.10~pre4-6.dfsg-2_all.deb
 76af7541235838a1fb9d895c96e524942106bde4e7e75c8beb73747ef690b9fa 150964 gpsdrive-scripts_2.10~pre4-6.dfsg-2_all.deb
Files: 
 ad9910d8b340782a3f321c669ab3b30b 1579 utils optional gpsdrive_2.10~pre4-6.dfsg-2.dsc
 c907aecb4d70e4cfbeb28a6d7d353322 55332 utils optional gpsdrive_2.10~pre4-6.dfsg-2.diff.gz
 97b10dbf5d7bf2df87538f44332f59ed 273176 utils optional gpsdrive_2.10~pre4-6.dfsg-2_i386.deb
 5ac89302c024a98decdde2355b36489f 2576832 utils optional gpsdrive-data_2.10~pre4-6.dfsg-2_all.deb
 e759ee095d76e32c6e4ae13703ffe20b 150964 utils optional gpsdrive-scripts_2.10~pre4-6.dfsg-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl08hUACgkQHyt6sgW5ndYMxgCgxLla/LDw0teJH5XlpUl3bHY3
R9AAnRj4nBA1blyVagvE5Eh3PG1nrVCR
=Ba0x
-----END PGP SIGNATURE-----





Reply sent to Andreas Putzo <andreas@putzo.net>:
You have taken responsibility. (Mon, 02 Feb 2009 21:57:06 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Mon, 02 Feb 2009 21:57:06 GMT) (full text, mbox, link).


Message #27 received at 508597-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Putzo <andreas@putzo.net>
To: 508597-close@bugs.debian.org
Subject: Bug#508597: fixed in gpsdrive 2.10~pre4-6.dfsg-1+lenny1
Date: Mon, 02 Feb 2009 21:47:10 +0000
Source: gpsdrive
Source-Version: 2.10~pre4-6.dfsg-1+lenny1

We believe that the bug you reported is fixed in the latest version of
gpsdrive, which is due to be installed in the Debian FTP archive:

gpsdrive-data_2.10~pre4-6.dfsg-1+lenny1_all.deb
  to pool/main/g/gpsdrive/gpsdrive-data_2.10~pre4-6.dfsg-1+lenny1_all.deb
gpsdrive-scripts_2.10~pre4-6.dfsg-1+lenny1_all.deb
  to pool/main/g/gpsdrive/gpsdrive-scripts_2.10~pre4-6.dfsg-1+lenny1_all.deb
gpsdrive_2.10~pre4-6.dfsg-1+lenny1.diff.gz
  to pool/main/g/gpsdrive/gpsdrive_2.10~pre4-6.dfsg-1+lenny1.diff.gz
gpsdrive_2.10~pre4-6.dfsg-1+lenny1.dsc
  to pool/main/g/gpsdrive/gpsdrive_2.10~pre4-6.dfsg-1+lenny1.dsc
gpsdrive_2.10~pre4-6.dfsg-1+lenny1_i386.deb
  to pool/main/g/gpsdrive/gpsdrive_2.10~pre4-6.dfsg-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Putzo <andreas@putzo.net> (supplier of updated gpsdrive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 29 Dec 2008 16:08:22 +0000
Source: gpsdrive
Binary: gpsdrive gpsdrive-data gpsdrive-scripts
Architecture: source i386 all
Version: 2.10~pre4-6.dfsg-1+lenny1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Changed-By: Andreas Putzo <andreas@putzo.net>
Description: 
 gpsdrive   - Car navigation system
 gpsdrive-data - Car navigation system
 gpsdrive-scripts - Various scripts for gpsdrive
Closes: 508596 508597
Changes: 
 gpsdrive (2.10~pre4-6.dfsg-1+lenny1) testing-proposed-updates; urgency=low
 .
   * Remove example script gpssmswatch. Prone to symlink attacks
     and removed upstream.
   * Added 101-signalposreq.dpatch to remove signalposreq() from
     gpsdrive to fix a potential symlink vulnerability. Removed
     unused unlinks of temporary files (Closes: #508597,#508596).
   * Added 102-unittest.dpatch to use mkdtemp in src/unit_test.c to
     fix a symlink vulnerability.
   * Updated patch for geo-code to avoid a potential race condition
     (CVE-2008-5380).
Checksums-Sha1: 
 b4230f83fbb04b87fce960bbea2103eabb0b9cb2 1607 gpsdrive_2.10~pre4-6.dfsg-1+lenny1.dsc
 6e3ece77e70883b80cdf57caac10a7861ac7aa7c 54233 gpsdrive_2.10~pre4-6.dfsg-1+lenny1.diff.gz
 48020fe79c9ab20763c92c32c78106d753ded402 273202 gpsdrive_2.10~pre4-6.dfsg-1+lenny1_i386.deb
 b119d99dd94c94d99d7bccc931a2438e1b46a81b 2576844 gpsdrive-data_2.10~pre4-6.dfsg-1+lenny1_all.deb
 237dc2fa465c2aecb6fcf7a266204084e103e7d9 150972 gpsdrive-scripts_2.10~pre4-6.dfsg-1+lenny1_all.deb
Checksums-Sha256: 
 c2692743c6771028ab10f8e8e4900b354ce7ca9be98fe5a4c4e8de1ddcc8674c 1607 gpsdrive_2.10~pre4-6.dfsg-1+lenny1.dsc
 167939f9499734382e0479251f6a8804c3f51ce96b9e981e912b516a548673dc 54233 gpsdrive_2.10~pre4-6.dfsg-1+lenny1.diff.gz
 f1e80dde001d901e5e64f8cdc9276830c976bce5b051a965a7ac549d78bf7eb1 273202 gpsdrive_2.10~pre4-6.dfsg-1+lenny1_i386.deb
 c60b08ff4239593113a5dce58e8d247c63febf701c8676474fddcb6ea88fdf10 2576844 gpsdrive-data_2.10~pre4-6.dfsg-1+lenny1_all.deb
 e6919d5924810da66fac2a82f27b6a3758489d323de85a1462a536ff1a333528 150972 gpsdrive-scripts_2.10~pre4-6.dfsg-1+lenny1_all.deb
Files: 
 09533fdc74a102ea3b5ce02c7851eae6 1607 utils optional gpsdrive_2.10~pre4-6.dfsg-1+lenny1.dsc
 7d94a0a30dcb19b8ac2651532b74b9d5 54233 utils optional gpsdrive_2.10~pre4-6.dfsg-1+lenny1.diff.gz
 f2022f502ea978393894bd8e52e98421 273202 utils optional gpsdrive_2.10~pre4-6.dfsg-1+lenny1_i386.deb
 c84db0ce41425c7c5c9fcd0a3b4e35a5 2576844 utils optional gpsdrive-data_2.10~pre4-6.dfsg-1+lenny1_all.deb
 7b091c7322c98cf4ec80154868975d3e 150972 utils optional gpsdrive-scripts_2.10~pre4-6.dfsg-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmHaHUACgkQHyt6sgW5nda0sQCfSFrYjvJtlhX/jnZvTS00WsN0
xp0Anjs4JdpuM2/WEIVRLrTM8o/gFcMv
=X+Ru
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 11 Mar 2009 07:35:06 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:29:10 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.