Red Hat Bugzilla – Bug 475478
CVE-2008-5380 gpsdrive: Insecure temporary file use in geo-code, geo-nearest (symlink attack)
Last modified: 2009-08-27 14:05:07 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5380 to
the following vulnerability:
gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite
arbitrary files via a symlink attack on an (a) /tmp/geo#####, a (b)
/tmp/geocaching.loc, a (c) /tmp/geo#####.*, or a (d) /tmp/geo.*
temporary file, related to the (1) geo-code and (2) geo-nearest
scripts, different vectors than CVE-2008-4959.
Sample related code (from /usr/bin/geo-code):
272 cp $COORDS /tmp/geo.google
298 filter="tee /tmp/geo.yahoo"
310 cp $COORDS /tmp/geo.coords
Problem: A malicious attacker could pre-create symlink with target to
any system file. Subsequent running of above scripts could truncate
/change any system file.
If these files does not needed to be shipped within the gpsdrive
package, remove them, or apply fix via 'mktemp'.
This issue affects all versions of the gpsdrive package, as shipped
with Fedora releases of 8, 9 and 10.
What is the difference to CVE-2008-4959? IIRC, it only covered geo-code, so there may be some extra issues in geo-nearest, though all the samples provided seem to be dupes of what's already covered by CVE-2008-4959.
See previous bug #470241.
Created attachment 326897 [details]
patch for issue.
geo-nearest does have the same issues...
Here's a proposed patch for it.
I don't see anything else with the other script.
See my comment at:
There are some new issues reported in the Debian BTS:
(example is probably not a big deal and not easy to address via update)
Created attachment 327066 [details]
patch for geo-nearest
Here's another patch for geo-nearest.
It seems to miss two tee output files, and may need something like:
--- geo-nearest.orig2 2008-12-16 14:46:14.000000000 +0100
+++ geo-nearest 2008-12-16 14:49:16.000000000 +0100
@@ -255,8 +255,8 @@
# Loop, getting at least "NUM" locations
if [ $DEBUG -gt 0 ]; then
- filter1="tee $TMP.page"
- filter2="tee $TMP.bulk"
+ filter1="tee $TMP/nearest_cache.page"
+ filter2="tee $TMP/waypoints.bulk"
On the other hand, remove_cruft will delete that at the end anyway, so not far away from setting filterX to cat unconditionally.
Created attachment 327196 [details]
new patch for geo-nearest
Good catch. Revised patch attached.
(In reply to comment #4)
> There are some new issues reported in the Debian BTS:
This is on a way to get new CVE id:
Upstream bug related to all these temp file issues:
Kevin, will you add our patches there?
(In reply to comment #8)
> Kevin, will you add our patches there?
I commented in Debian BTS:
and in SF.net tracker.
Affected scripts were dropped upstream:
Ooops, copy-n-paste-o, link above should be:
(commit that drops geo-code, geo-nearest and gpssmswatch)
gpsdrive-2.09-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
gpsdrive-2.09-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This was fixed ages ago.