[DebianGIS-dev] Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack

2008-12-15 Thread Andreas Putzo 
Hi,

On Dec 12  16:27, Raphael Geissert wrote:
 Package: gpsdrive
 Version: 2.10~pre4-6.dfsg-1
 Tags: security
 Severity: important
 I have found three other attack vectors:
 
 /usr/share/doc/gpsdrive/examples/gpssmswatch:
 src/splash.c

i think this was used to e.g. dump the current position to 
a file and send a sms to a mobile phone. It requires the user
to send SIGUSR1 to the gpsdrive process which makes this attack vector 
more unlikely to be successful. In my opinion this functionality is
obsolete anyway and should be removed from gpsdrive.
Regarding splash.c there's already a bug in the gpsdrive bug tracker
(set forward accordingly).

 src/unit_test.c:
  g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test);
  g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test/proc);

Will look into this.

Cheers, 
Andreas



signature.asc
Description: Digital signature
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack

2008-12-12 Thread Raphael Geissert 
Package: gpsdrive
Version: 2.10~pre4-6.dfsg-1
Tags: security
Severity: important

Hi,

I have found three other attack vectors:

/usr/share/doc/gpsdrive/examples/gpssmswatch:
 FILE=/tmp/.smswatch
 while [ 1 = 1 ]
 do
 gnokii --getsms SM 1  $FILE
 if [ $? = 0 ];then
 gnokii --deletesms SM 1
 fi
 grep PLSSENDPOS $FILE
 if [ $? = 0 ];then
 echo -e position request found\n
 NUMBER=`grep Sender /tmp/.smswatch|awk '{print $2}'`
 killall -USR1 gpsdrive

 echo sending 
 cat /tmp/gpsdrivepos
 echo -e to number $NUMBER\n
 gnokii --sendsms $NUMBER  /tmp/gpsdrivepos

src/splash.c
 f = fopen (/tmp/gpsdrivepos, w);
 if (f == NULL)
 {
 perror (/tmp/gpsdrivepos);
 return;
 }
 time (t);
 ts = localtime (t);
 fprintf (f, asctime (ts));
 fprintf (f, POS %f %f\n, coords.current_lat, coords.current_lon);
 fclose (f);

src/unit_test.c:
 g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test);
 g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test/proc);

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net


signature.asc
Description: This is a digitally signed message part.
___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel