[DebianGIS-dev] Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack
Hi, On Dec 12 16:27, Raphael Geissert wrote: Package: gpsdrive Version: 2.10~pre4-6.dfsg-1 Tags: security Severity: important I have found three other attack vectors: /usr/share/doc/gpsdrive/examples/gpssmswatch: src/splash.c i think this was used to e.g. dump the current position to a file and send a sms to a mobile phone. It requires the user to send SIGUSR1 to the gpsdrive process which makes this attack vector more unlikely to be successful. In my opinion this functionality is obsolete anyway and should be removed from gpsdrive. Regarding splash.c there's already a bug in the gpsdrive bug tracker (set forward accordingly). src/unit_test.c: g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test); g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test/proc); Will look into this. Cheers, Andreas signature.asc Description: Digital signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel
[DebianGIS-dev] Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack
Package: gpsdrive Version: 2.10~pre4-6.dfsg-1 Tags: security Severity: important Hi, I have found three other attack vectors: /usr/share/doc/gpsdrive/examples/gpssmswatch: FILE=/tmp/.smswatch while [ 1 = 1 ] do gnokii --getsms SM 1 $FILE if [ $? = 0 ];then gnokii --deletesms SM 1 fi grep PLSSENDPOS $FILE if [ $? = 0 ];then echo -e position request found\n NUMBER=`grep Sender /tmp/.smswatch|awk '{print $2}'` killall -USR1 gpsdrive echo sending cat /tmp/gpsdrivepos echo -e to number $NUMBER\n gnokii --sendsms $NUMBER /tmp/gpsdrivepos src/splash.c f = fopen (/tmp/gpsdrivepos, w); if (f == NULL) { perror (/tmp/gpsdrivepos); return; } time (t); ts = localtime (t); fprintf (f, asctime (ts)); fprintf (f, POS %f %f\n, coords.current_lat, coords.current_lon); fclose (f); src/unit_test.c: g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test); g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test/proc); Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net signature.asc Description: This is a digitally signed message part. ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel