Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5380 to the following vulnerability: gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite arbitrary files via a symlink attack on an (a) /tmp/geo#####, a (b) /tmp/geocaching.loc, a (c) /tmp/geo#####.*, or a (d) /tmp/geo.* temporary file, related to the (1) geo-code and (2) geo-nearest scripts, different vectors than CVE-2008-4959. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5380 http://lists.debian.org/debian-devel/2008/08/msg00285.html Affected scripts: /usr/bin/geo-code /usr/bin/geo-nearest Sample related code (from /usr/bin/geo-code): 251 TMP=/tmp/geo$$ 272 cp $COORDS /tmp/geo.google 298 filter="tee /tmp/geo.yahoo" 310 cp $COORDS /tmp/geo.coords Problem: A malicious attacker could pre-create symlink with target to any system file. Subsequent running of above scripts could truncate /change any system file. If these files does not needed to be shipped within the gpsdrive package, remove them, or apply fix via 'mktemp'.
This issue affects all versions of the gpsdrive package, as shipped with Fedora releases of 8, 9 and 10. Please update.
What is the difference to CVE-2008-4959? IIRC, it only covered geo-code, so there may be some extra issues in geo-nearest, though all the samples provided seem to be dupes of what's already covered by CVE-2008-4959. See previous bug #470241.
Created attachment 326897 [details] patch for issue. geo-nearest does have the same issues... Here's a proposed patch for it. I don't see anything else with the other script.
See my comment at: https://bugzilla.redhat.com/show_bug.cgi?id=470241#c6 There are some new issues reported in the Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597 (example is probably not a big deal and not easy to address via update)
Created attachment 327066 [details] patch for geo-nearest Here's another patch for geo-nearest.
It seems to miss two tee output files, and may need something like: --- geo-nearest.orig2 2008-12-16 14:46:14.000000000 +0100 +++ geo-nearest 2008-12-16 14:49:16.000000000 +0100 @@ -255,8 +255,8 @@ # Loop, getting at least "NUM" locations # if [ $DEBUG -gt 0 ]; then - filter1="tee $TMP.page" - filter2="tee $TMP.bulk" + filter1="tee $TMP/nearest_cache.page" + filter2="tee $TMP/waypoints.bulk" else filter1=cat filter2=cat On the other hand, remove_cruft will delete that at the end anyway, so not far away from setting filterX to cat unconditionally.
Created attachment 327196 [details] new patch for geo-nearest Good catch. Revised patch attached.
Looks better. (In reply to comment #4) > There are some new issues reported in the Debian BTS: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597 This is on a way to get new CVE id: http://www.openwall.com/lists/oss-security/2008/12/17/15 Upstream bug related to all these temp file issues: http://sourceforge.net/tracker/index.php?func=detail&aid=2121124&group_id=148048&atid=770280 Kevin, will you add our patches there?
(In reply to comment #8) > Kevin, will you add our patches there? I commented in Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508595#20 and in SF.net tracker.
Affected scripts were dropped upstream: http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=220
Ooops, copy-n-paste-o, link above should be: http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2204 (commit that drops geo-code, geo-nearest and gpssmswatch)
gpsdrive-2.09-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
gpsdrive-2.09-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This was fixed ages ago.