Bug 475478 (CVE-2008-5380)

Summary: CVE-2008-5380 gpsdrive: Insecure temporary file use in geo-code, geo-nearest (symlink attack)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kevin, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://lists.debian.org/debian-devel/2008/08/msg00285.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-27 18:05:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch for issue.
none
patch for geo-nearest
none
new patch for geo-nearest none

Description Jan Lieskovsky 2008-12-09 13:06:59 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5380 to
the following vulnerability:

gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite
arbitrary files via a symlink attack on an (a) /tmp/geo#####, a (b)
/tmp/geocaching.loc, a (c) /tmp/geo#####.*, or a (d) /tmp/geo.*
temporary file, related to the (1) geo-code and (2) geo-nearest
scripts, different vectors than CVE-2008-4959.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5380
http://lists.debian.org/debian-devel/2008/08/msg00285.html

Affected scripts:
/usr/bin/geo-code
/usr/bin/geo-nearest

Sample related code (from /usr/bin/geo-code):
251 TMP=/tmp/geo$$
272                 cp $COORDS /tmp/geo.google
298     filter="tee /tmp/geo.yahoo"
310         cp $COORDS /tmp/geo.coords

Problem: A malicious attacker could pre-create symlink with target to
any system file. Subsequent running of above scripts could truncate
/change any system file.

If these files does not needed to be shipped within the gpsdrive
package, remove them, or apply fix via 'mktemp'.
Comment 1 Jan Lieskovsky 2008-12-09 13:16:43 UTC 
This issue affects all versions of the gpsdrive package, as shipped
with Fedora releases of 8, 9 and 10.

Please update.
Comment 2 Tomas Hoger 2008-12-09 14:24:03 UTC 
What is the difference to CVE-2008-4959?  IIRC, it only covered geo-code, so there may be some extra issues in geo-nearest, though all the samples provided seem to be dupes of what's already covered by CVE-2008-4959.

See previous bug #470241.
Comment 3 Kevin Fenzi 2008-12-15 01:41:27 UTC 
Created attachment 326897 [details]
patch for issue.

geo-nearest does have the same issues... 
Here's a proposed patch for it. 

I don't see anything else with the other script.
Comment 4 Tomas Hoger 2008-12-15 10:49:46 UTC 
See my comment at:
  https://bugzilla.redhat.com/show_bug.cgi?id=470241#c6

There are some new issues reported in the Debian BTS:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597
  (example is probably not a big deal and not easy to address via update)
Comment 5 Kevin Fenzi 2008-12-16 06:26:31 UTC 
Created attachment 327066 [details]
patch for geo-nearest

Here's another patch for geo-nearest.
Comment 6 Tomas Hoger 2008-12-16 13:51:37 UTC 
It seems to miss two tee output files, and may need something like:

--- geo-nearest.orig2	2008-12-16 14:46:14.000000000 +0100
+++ geo-nearest	2008-12-16 14:49:16.000000000 +0100
@@ -255,8 +255,8 @@
 # Loop, getting at least "NUM" locations
 #
 if [ $DEBUG -gt 0 ]; then
-    filter1="tee $TMP.page"
-    filter2="tee $TMP.bulk"
+    filter1="tee $TMP/nearest_cache.page"
+    filter2="tee $TMP/waypoints.bulk"
 else
     filter1=cat
     filter2=cat

On the other hand, remove_cruft will delete that at the end anyway, so not far away from setting filterX to cat unconditionally.
Comment 7 Kevin Fenzi 2008-12-17 02:45:47 UTC 
Created attachment 327196 [details]
new patch for geo-nearest

Good catch. Revised patch attached.
Comment 8 Tomas Hoger 2008-12-17 08:14:36 UTC 
Looks better.

(In reply to comment #4)
> There are some new issues reported in the Debian BTS:
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597

This is on a way to get new CVE id:
  http://www.openwall.com/lists/oss-security/2008/12/17/15

Upstream bug related to all these temp file issues:
http://sourceforge.net/tracker/index.php?func=detail&aid=2121124&group_id=148048&atid=770280

Kevin, will you add our patches there?
Comment 9 Tomas Hoger 2008-12-17 10:01:41 UTC 
(In reply to comment #8)
> Kevin, will you add our patches there?

I commented in Debian BTS:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508595#20

and in SF.net tracker.
Comment 10 Tomas Hoger 2008-12-19 19:01:08 UTC 
Affected scripts were dropped upstream:
http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=220
Comment 11 Tomas Hoger 2009-01-27 08:30:36 UTC 
Ooops, copy-n-paste-o, link above should be:
http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2204
(commit that drops geo-code, geo-nearest and gpssmswatch)
Comment 12 Fedora Update System 2009-02-05 02:10:14 UTC 
gpsdrive-2.09-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-02-05 02:22:38 UTC 
gpsdrive-2.09-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Kevin Fenzi 2009-08-27 18:05:07 UTC 
This was fixed ages ago.