Bug 475478 - (CVE-2008-5380) CVE-2008-5380 gpsdrive: Insecure temporary file use in geo-code, geo-nearest (symlink attack)
CVE-2008-5380 gpsdrive: Insecure temporary file use in geo-code, geo-nearest ...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://lists.debian.org/debian-devel/...
public=20080811,reported=20081209,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-09 08:06 EST by Jan Lieskovsky
Modified: 2009-08-27 14:05 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-27 14:05:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for issue. (1.94 KB, patch)
2008-12-14 20:41 EST, Kevin Fenzi
no flags Details | Diff
patch for geo-nearest (1.13 KB, patch)
2008-12-16 01:26 EST, Kevin Fenzi
no flags Details | Diff
new patch for geo-nearest (1.40 KB, patch)
2008-12-16 21:45 EST, Kevin Fenzi
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-12-09 08:06:59 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5380 to
the following vulnerability:

gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite
arbitrary files via a symlink attack on an (a) /tmp/geo#####, a (b)
/tmp/geocaching.loc, a (c) /tmp/geo#####.*, or a (d) /tmp/geo.*
temporary file, related to the (1) geo-code and (2) geo-nearest
scripts, different vectors than CVE-2008-4959.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5380
http://lists.debian.org/debian-devel/2008/08/msg00285.html

Affected scripts:
/usr/bin/geo-code
/usr/bin/geo-nearest

Sample related code (from /usr/bin/geo-code):
251 TMP=/tmp/geo$$
272                 cp $COORDS /tmp/geo.google
298     filter="tee /tmp/geo.yahoo"
310         cp $COORDS /tmp/geo.coords

Problem: A malicious attacker could pre-create symlink with target to
any system file. Subsequent running of above scripts could truncate
/change any system file.

If these files does not needed to be shipped within the gpsdrive
package, remove them, or apply fix via 'mktemp'.
Comment 1 Jan Lieskovsky 2008-12-09 08:16:43 EST
This issue affects all versions of the gpsdrive package, as shipped
with Fedora releases of 8, 9 and 10.

Please update.
Comment 2 Tomas Hoger 2008-12-09 09:24:03 EST
What is the difference to CVE-2008-4959?  IIRC, it only covered geo-code, so there may be some extra issues in geo-nearest, though all the samples provided seem to be dupes of what's already covered by CVE-2008-4959.

See previous bug #470241.
Comment 3 Kevin Fenzi 2008-12-14 20:41:27 EST
Created attachment 326897 [details]
patch for issue.

geo-nearest does have the same issues... 
Here's a proposed patch for it. 

I don't see anything else with the other script.
Comment 4 Tomas Hoger 2008-12-15 05:49:46 EST
See my comment at:
  https://bugzilla.redhat.com/show_bug.cgi?id=470241#c6

There are some new issues reported in the Debian BTS:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597
  (example is probably not a big deal and not easy to address via update)
Comment 5 Kevin Fenzi 2008-12-16 01:26:31 EST
Created attachment 327066 [details]
patch for geo-nearest

Here's another patch for geo-nearest.
Comment 6 Tomas Hoger 2008-12-16 08:51:37 EST
It seems to miss two tee output files, and may need something like:

--- geo-nearest.orig2	2008-12-16 14:46:14.000000000 +0100
+++ geo-nearest	2008-12-16 14:49:16.000000000 +0100
@@ -255,8 +255,8 @@
 # Loop, getting at least "NUM" locations
 #
 if [ $DEBUG -gt 0 ]; then
-    filter1="tee $TMP.page"
-    filter2="tee $TMP.bulk"
+    filter1="tee $TMP/nearest_cache.page"
+    filter2="tee $TMP/waypoints.bulk"
 else
     filter1=cat
     filter2=cat

On the other hand, remove_cruft will delete that at the end anyway, so not far away from setting filterX to cat unconditionally.
Comment 7 Kevin Fenzi 2008-12-16 21:45:47 EST
Created attachment 327196 [details]
new patch for geo-nearest

Good catch. Revised patch attached.
Comment 8 Tomas Hoger 2008-12-17 03:14:36 EST
Looks better.

(In reply to comment #4)
> There are some new issues reported in the Debian BTS:
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597

This is on a way to get new CVE id:
  http://www.openwall.com/lists/oss-security/2008/12/17/15

Upstream bug related to all these temp file issues:
http://sourceforge.net/tracker/index.php?func=detail&aid=2121124&group_id=148048&atid=770280

Kevin, will you add our patches there?
Comment 9 Tomas Hoger 2008-12-17 05:01:41 EST
(In reply to comment #8)
> Kevin, will you add our patches there?

I commented in Debian BTS:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508595#20

and in SF.net tracker.
Comment 10 Tomas Hoger 2008-12-19 14:01:08 EST
Affected scripts were dropped upstream:
http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=220
Comment 11 Tomas Hoger 2009-01-27 03:30:36 EST
Ooops, copy-n-paste-o, link above should be:
http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2204
(commit that drops geo-code, geo-nearest and gpssmswatch)
Comment 12 Fedora Update System 2009-02-04 21:10:14 EST
gpsdrive-2.09-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-02-04 21:22:38 EST
gpsdrive-2.09-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Kevin Fenzi 2009-08-27 14:05:07 EDT
This was fixed ages ago.

Note You need to log in before you can comment on or make changes to this bug.