Hello community, here is the log from the commit of package gypsy for openSUSE:Factory checked in at 2012-07-10 13:41:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gypsy (Old) and /work/SRC/openSUSE:Factory/.gypsy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gypsy", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/gypsy/gypsy.changes 2011-09-23 02:02:42.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gypsy.new/gypsy.changes 2012-07-10 13:41:50.000000000 +0200 @@ -1,0 +2,10 @@ +Mon Jul 9 16:54:26 CEST 2012 - [email protected] + +- Add gypsy-CVE-2011-0523.patch: add config file to restrict the + files that can be read. Fix CVE-2011-0523 and bnc#666839. +- Add gypsy-CVE-2011-0524.patch: use snprintf() to avoid buffer + overflows. Fix CVE-2011-0524 and bnc#666839. +- Add gnome-common BuildRequires and call to gnome-autogen.sh for + gypsy-CVE-2011-0523.patch, since it touches the build system. + +------------------------------------------------------------------- New: ---- gypsy-CVE-2011-0523.patch gypsy-CVE-2011-0524.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gypsy.spec ++++++ --- /var/tmp/diff_new_pack.kknShO/_old 2012-07-10 13:41:55.000000000 +0200 +++ /var/tmp/diff_new_pack.kknShO/_new 2012-07-10 13:41:55.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package gypsy # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,20 +16,25 @@ # - Name: gypsy Version: 0.8 -Release: 5 -License: LGPL-2.1 +Release: 0 Summary: GPS multiplexing daemon -Url: http://gypsy.freedesktop.org/ +License: LGPL-2.1 Group: Hardware/Other +Url: http://gypsy.freedesktop.org/ Source0: %{name}-%{version}.tar.bz2 # PATCH-FIX-UPSTREAM gypsy-0.8-gcc46.patch [email protected] -- Fix gcc 4.6 compilation Patch1: gypsy-0.8-gcc46.patch +# PATCH-FIX-UPSTREAM gypsy-CVE-2011-0523.patch CVE-2011-0523 bnc#666839 fdo#33431 -- Add config file to restrict the files that can be read +Patch2: gypsy-CVE-2011-0523.patch +# PATCH-FIX-UPSTREAM gypsy-CVE-2011-0524.patch CVE-2011-0524 bnc#666839 fdo#33431 -- Use snprintf to avoid buffer overflow +Patch3: gypsy-CVE-2011-0524.patch BuildRequires: bluez-devel BuildRequires: dbus-1-glib-devel BuildRequires: glib2-devel +# needed for patch2 +BuildRequires: gnome-common BuildRequires: libxslt BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -44,7 +49,6 @@ %package -n libgypsy0 Summary: GPS multiplexing daemon - Library -License: LGPL-2.1 Group: Development/Libraries/Other %description -n libgypsy0 @@ -58,10 +62,9 @@ %package -n libgypsy-devel Summary: GPS multiplexing daemon - Development Files -License: LGPL-2.1 Group: Development/Libraries/Other -Requires: libgypsy0 = %{version} Requires: dbus-1-glib-devel +Requires: libgypsy0 = %{version} %description -n libgypsy-devel Gypsy is a GPS multiplexing daemon which allows multiple clients to @@ -75,6 +78,10 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +# needed for patch2 +NOCONFIGURE=1 gnome-autogen.sh %build %configure --disable-static @@ -96,6 +103,7 @@ %doc AUTHORS COPYING TODO %{_libexecdir}/gypsy-daemon %{_sysconfdir}/dbus-1/system.d/*.conf +%config(noreplace) %{_sysconfdir}/gypsy.conf %{_datadir}/dbus-1/system-services/*.service %files -n libgypsy0 ++++++ gypsy-CVE-2011-0523.patch ++++++ >From aa071099802f3bf866cffbfb25196dcdf1fbba1e Mon Sep 17 00:00:00 2001 From: Michael Leibowitz <[email protected]> Date: Wed, 16 Mar 2011 22:29:06 -0700 Subject: [PATCH] Add a config file that specifies a whitelist of allowed devices This is in response to Bug 33431 "CVE-2011-0523: arbitrary file access and buffer overflows" A new config file, /etc/gypsy.conf, is added that specifies a whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and "bluetooth" (which matches Bluetooth addresses). Signed-off-by: Michael Leibowitz <[email protected]> Further changes by Bastien Nocera <[email protected]> --- Makefile.am | 2 +- configure.ac | 3 ++ etc/Makefile.am | 2 + etc/gypsy.conf | 2 + src/gypsy-server.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/gypsy-server.h | 1 + 6 files changed, 78 insertions(+), 1 deletions(-) create mode 100644 etc/Makefile.am create mode 100644 etc/gypsy.conf diff --git a/Makefile.am b/Makefile.am index 8b4090e..174a2af 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,4 @@ -SUBDIRS = interfaces src gypsy examples docs +SUBDIRS = interfaces src gypsy examples docs etc pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = gypsy.pc diff --git a/configure.ac b/configure.ac index 3484051..a441ceb 100644 --- a/configure.ac +++ b/configure.ac @@ -43,6 +43,8 @@ DBUS_SYS_DIR="${sysconfdir}/dbus-1/system.d" AC_SUBST(DBUS_SYS_DIR) AC_DEFINE_UNQUOTED(DBUS_SYS_DIR, "$DBUS_SYS_DIR", [Where the system dir for D-Bus is]) +AC_DEFINE_UNQUOTED(CONFIG_FILE_PATH, "${sysconfdir}/gypsy.conf", [The absolute path of the config file]) + DBUS_SERVICES_DIR="${datadir}/dbus-1/system-services" AC_SUBST(DBUS_SERVICES_DIR) AC_DEFINE_UNQUOTED(DBUS_SERVICES_DIR, "$DBUS_SERVICES_DIR", [Where services dir for D-Bus is]) @@ -72,6 +74,7 @@ docs/Makefile docs/reference/Makefile docs/reference/version.xml docs/tools/Makefile +etc/Makefile gypsy.pc ]) diff --git a/etc/Makefile.am b/etc/Makefile.am new file mode 100644 index 0000000..77d58f4 --- /dev/null +++ b/etc/Makefile.am @@ -0,0 +1,2 @@ +configdir = $(sysconfdir) +dist_config_DATA = gypsy.conf diff --git a/etc/gypsy.conf b/etc/gypsy.conf new file mode 100644 index 0000000..be76a35 --- /dev/null +++ b/etc/gypsy.conf @@ -0,0 +1,2 @@ +[gypsy] +AllowedDeviceGlobs=/dev/tty*;/dev/pgps;bluetooth diff --git a/src/gypsy-server.c b/src/gypsy-server.c index e2e3c1c..3ff13f4 100644 --- a/src/gypsy-server.c +++ b/src/gypsy-server.c @@ -28,12 +28,17 @@ /* * GypsyServer - The main control object that creates GPS connection objects. */ +#include "config.h" #include <glib.h> #include <dbus/dbus-glib.h> #include <dbus/dbus-glib-bindings.h> #include <dbus/dbus-glib-lowlevel.h> +#ifdef HAVE_BLUEZ +#include <bluetooth/bluetooth.h> +#endif + #include "gypsy-server.h" #include "gypsy-client.h" @@ -49,6 +54,9 @@ typedef struct _GypsyServerPrivate { int client_count; /* When client_count returns to 0, we quit the daemon after TERMINATE_TIMEOUT */ guint32 terminate_id; + + gchar **allowed_device_globs; + gsize allowed_device_glob_count; } GypsyServerPrivate; static guint32 signals[LAST_SIGNAL] = {0, }; @@ -60,6 +68,9 @@ G_DEFINE_TYPE (GypsyServer, gypsy_server, G_TYPE_OBJECT); #define GYPSY_GPS_PATH "/org/freedesktop/Gypsy/" #define TERMINATE_TIMEOUT 10000 /* 10 second timeout */ +#define GYPSY_CONF_GROUP "gypsy" +#define GYPSY_CONF_GLOB_KEY "AllowedDeviceGlobs" + static void gypsy_server_create (GypsyServer *gps, const char *IN_device_path, DBusGMethodInvocation *context); @@ -102,6 +113,8 @@ gypsy_server_create (GypsyServer *gps, GypsyClient *client; char *path, *device_name, *sender; GList *list; + int i; + gboolean allowed; priv = GET_PRIVATE (gps); @@ -113,6 +126,40 @@ gypsy_server_create (GypsyServer *gps, } g_debug ("Creating client for %s", IN_device_path); + + /* compare priv->device_path to allowed globs + * if not allowed, error out */ + allowed = FALSE; + for (i = 0; i < priv->allowed_device_glob_count; i++) { + if (g_str_equal (priv->allowed_device_globs[i], "bluetooth")) { +#ifdef HAVE_BLUEZ + if (bachk (IN_device_path) == 0) { + allowed = TRUE; + break; + } +#else + continue; +#endif /* HAVE_BLUEZ */ + } + if (g_pattern_match_simple (priv->allowed_device_globs[i], + IN_device_path)) { + allowed = TRUE; + break; + } + } + if (allowed == FALSE) { + g_warning ("The device path %s is not allowed by config file", + IN_device_path); + GError *error = NULL; + error = g_error_new (GYPSY_SERVER_ERROR, + GYPSY_SERVER_ERROR_BAD_PATH, + "Bad path: %s", + IN_device_path); + dbus_g_method_return_error (context, error); + g_error_free (error); + return; + } + device_name = g_path_get_basename (IN_device_path); g_debug ("Device name: %s", device_name); path = g_strdup_printf ("%s%s", GYPSY_GPS_PATH, @@ -250,6 +297,7 @@ gypsy_server_init (GypsyServer *gps) { GypsyServerPrivate *priv = GET_PRIVATE (gps); GError *error = NULL; + GKeyFile *key_file = NULL; priv->connection = dbus_g_bus_get (DBUS_BUS_SYSTEM, &error); if (priv->connection == NULL) { @@ -265,6 +313,27 @@ gypsy_server_init (GypsyServer *gps) priv->client_count = 0; priv->terminate_id = 0; + + key_file = g_key_file_new(); + if (!g_key_file_load_from_file (key_file, CONFIG_FILE_PATH, + G_KEY_FILE_NONE, &error)) + goto error; + + priv->allowed_device_globs = g_key_file_get_string_list (key_file, + GYPSY_CONF_GROUP, + GYPSY_CONF_GLOB_KEY, + &(priv->allowed_device_glob_count), + &error); + if (!priv->allowed_device_globs) + goto error; + + return; + +error: + g_warning ("Error parsing config file:\n%s", + error->message); + g_error_free (error); + g_key_file_free (key_file); } void diff --git a/src/gypsy-server.h b/src/gypsy-server.h index 465f18e..3470ba7 100644 --- a/src/gypsy-server.h +++ b/src/gypsy-server.h @@ -37,6 +37,7 @@ G_BEGIN_DECLS typedef enum { GYPSY_SERVER_ERROR_NO_CLIENT, + GYPSY_SERVER_ERROR_BAD_PATH } GypsyServerError; typedef struct _GypsyServer { -- 1.7.6.2 ++++++ gypsy-CVE-2011-0524.patch ++++++ >From 03932804cd4b8e5a79c483fb05c82743f5ee93a2 Mon Sep 17 00:00:00 2001 From: Bastien Nocera <[email protected]> Date: Wed, 12 Oct 2011 12:15:44 +0100 Subject: [PATCH] Prevent buffer overflows in NMEA parsing By using snprintf() instead of sprintf. https://bugs.freedesktop.org/show_bug.cgi?id=33431 --- src/nmea-gen.c | 61 ++++++++++++++++++++++++++++--------------------------- 1 files changed, 31 insertions(+), 30 deletions(-) diff --git a/src/nmea-gen.c b/src/nmea-gen.c index a8c2483..c52f925 100644 --- a/src/nmea-gen.c +++ b/src/nmea-gen.c @@ -54,6 +54,7 @@ #include "nmea-gen.h" #define NMEA_BUF_SIZE 256 +#define NMEASTC_BUF_SIZE 256 #define NMEA_LATLON_SIZE 16 #define NMEA_UTC_SIZE 16 @@ -121,7 +122,7 @@ void nmea_getutc(D800_Pvt_Data_Type *pvt, char *utctime, char *utcdate) { h = tmp / 3600; m = (tmp - h*3600) / 60; s = (tmp - h*3600 - m*60); - sprintf(utctime, "%02d%02d%02d", h, m, s); + snprintf(utctime, NMEA_UTC_SIZE, "%02d%02d%02d", h, m, s); } if (utcdate) { @@ -149,7 +150,7 @@ void nmea_getutc(D800_Pvt_Data_Type *pvt, char *utctime, char *utcdate) { year -= 2000; - sprintf(utcdate, "%02d%02d%02d", day, month, year); + snprintf(utcdate, NMEA_UTC_SIZE, "%02d%02d%02d", day, month, year); } } @@ -157,16 +158,16 @@ void nmea_fmtlat(double lat, char *latstr) { double latdeg, tmp; latdeg = rad2deg(fabs(lat)); tmp = floor(latdeg); - sprintf(latstr, "%02d%07.4f,%c", (int)tmp, (latdeg - tmp) * 60, - (lat >= 0) ? 'N' : 'S'); + snprintf(latstr, NMEA_LATLON_SIZE, "%02d%07.4f,%c", (int)tmp, (latdeg - tmp) * 60, + (lat >= 0) ? 'N' : 'S'); } void nmea_fmtlon(double lon, char *lonstr) { double londeg, tmp; londeg = rad2deg(fabs(lon)); tmp = floor(londeg); - sprintf(lonstr, "%03d%07.4f,%c", (int)tmp, (londeg - tmp) * 60, - (lon >= 0) ? 'E' : 'W'); + snprintf(lonstr, NMEA_LATLON_SIZE, "%03d%07.4f,%c", (int)tmp, (londeg - tmp) * 60, + (lon >= 0) ? 'E' : 'W'); } /* @@ -216,12 +217,12 @@ int nmea_gpgga(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) { } } - sprintf(buf, "GPGGA,%s,%s,%s,%d,%02d,,%.1f,M,%.1f,M,,", utc, slat, slon, fix, nsat, - pvt->msl_hght + pvt->alt, -pvt->msl_hght); + snprintf(buf, NMEA_BUF_SIZE, "GPGGA,%s,%s,%s,%d,%02d,,%.1f,M,%.1f,M,,", utc, slat, slon, fix, nsat, + pvt->msl_hght + pvt->alt, -pvt->msl_hght); cksum = nmea_cksum(buf); - sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum); return 0; } @@ -268,13 +269,13 @@ int nmea_gprmc(D800_Pvt_Data_Type *pvt, char *nmeastc) { g_lastcourse = course; /* remember for later */ } - sprintf(buf, "GPRMC,%s,%c,%s,%s,%05.1f,%05.1f,%s,,", utctime, - (pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V', - slat, slon, speed, course, utcdate); + snprintf(buf, NMEA_BUF_SIZE, "GPRMC,%s,%c,%s,%s,%05.1f,%05.1f,%s,,", utctime, + (pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V', + slat, slon, speed, course, utcdate); cksum = nmea_cksum(buf); - sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum); return 0; } @@ -298,12 +299,12 @@ int nmea_gpgll(D800_Pvt_Data_Type *pvt, char *nmeastc) { /* longitude */ nmea_fmtlon(pvt->lon, slon); - sprintf(buf, "GPGLL,%s,%s,%s,%c", slat, slon, utctime, - (pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V'); + snprintf(buf, NMEA_BUF_SIZE, "GPGLL,%s,%s,%s,%c", slat, slon, utctime, + (pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V'); cksum = nmea_cksum(buf); - sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum); return 0; } @@ -334,7 +335,7 @@ int nmea_gpgsa(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) { fprintf(stderr, "WARNING: unknown fix type %d\n", pvt->fix); } - sprintf(buf, "GPGSA,A,%d", fix); + snprintf(buf, NMEA_BUF_SIZE, "GPGSA,A,%d", fix); if (sat != NULL) { for (i = 0; i < SAT_MAX_COUNT; i++) { @@ -343,7 +344,7 @@ int nmea_gpgsa(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) { #ifdef DEBUG g_debug ("%s: using sat %2d", __FUNCTION__, sat[i].svid); #endif - sprintf(buf+strlen(buf), ",%02d", sat[i].svid); + snprintf(buf+strlen(buf), NMEA_BUF_SIZE - strlen(buf), ",%02d", sat[i].svid); nsat++; } else @@ -362,10 +363,10 @@ int nmea_gpgsa(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) { strcat(buf, ",,,,,,,,,,,,"); } - sprintf(buf+strlen(buf), ",,,"); // this should be DOP info + snprintf(buf+strlen(buf), NMEA_BUF_SIZE - strlen(buf),",,,"); // this should be DOP info cksum = nmea_cksum(buf); - sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum); return 0; } @@ -386,9 +387,9 @@ int nmea_gpgsv(cpo_sat_data *sat, char *nmeastc) { int nsat, i, nout, msgi; if (sat == NULL) { - sprintf(buf, "GPGSV,1,1,00"); + snprintf(buf, NMEA_BUF_SIZE, "GPGSV,1,1,00"); cksum = nmea_cksum(buf); - sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum); return 0; } @@ -417,15 +418,15 @@ int nmea_gpgsv(cpo_sat_data *sat, char *nmeastc) { if (nsat == 0) { /* build a 'null' GPGSV string */ - sprintf(buf, "GPGSV,1,1,00"); + snprintf(buf, NMEA_BUF_SIZE, "GPGSV,1,1,00"); cksum = nmea_cksum(buf); - sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum); } else { /* scan the array again and build the GPGSV string(s) of active sats */ nout = 0; msgi = 1; nmeastc[0] = 0; - sprintf(buf, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat); + snprintf(buf, NMEA_BUF_SIZE, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat); for (i = 0; i < SAT_MAX_COUNT; i++) { if (((sat[i].status & SAT_STATUS_MASK) == SAT_STATUS_GOOD) && (sat[i].svid <= MAX_SAT_SVID)) { int snr; @@ -435,24 +436,24 @@ int nmea_gpgsv(cpo_sat_data *sat, char *nmeastc) { // else snr = sat[i].snr/100; /* empirically, this seems to be the correct factor */ - sprintf(buf+strlen(buf), ",%02d,%02d,%03d,%02d", - sat[i].svid, sat[i].elev, sat[i].azmth, snr); + snprintf(buf+strlen(buf), NMEA_BUF_SIZE - strlen(buf), ",%02d,%02d,%03d,%02d", + sat[i].svid, sat[i].elev, sat[i].azmth, snr); nout++; /* if we have accumulated a group of 4 sats, write out the string */ if (nout == 4) { cksum = nmea_cksum(buf); - sprintf(nmeastc+strlen(nmeastc), "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc+strlen(nmeastc), NMEASTC_BUF_SIZE - strlen(nmeastc), "$%s*%02X\r\n", buf, cksum); msgi++; nout = 0; - sprintf(buf, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat); + snprintf(buf, NMEA_BUF_SIZE, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat); } } } if (nout != 0) { cksum = nmea_cksum(buf); - sprintf(nmeastc+strlen(nmeastc), "$%s*%02X\r\n", buf, cksum); + snprintf(nmeastc+strlen(nmeastc), NMEASTC_BUF_SIZE - strlen(nmeastc), "$%s*%02X\r\n", buf, cksum); } } -- 1.7.6.2 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
