Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5703 to the following vulnerability: gpsdrive (aka gpsdrive-scripts) 2.10~pre4 allows local users to overwrite arbitrary files via a symlink attack on the (a) /tmp/.smswatch or (b) /tmp/gpsdrivepos temporary file, related to (1) examples/gpssmswatch and (2) src/splash.c, different vectors than CVE-2008-4959 and CVE-2008-5380. References: http://openwall.com/lists/oss-security/2008/12/17/15 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597 http://sourceforge.net/tracker/index.php?func=detail&aid=2121124&group_id=148048&atid=770280 http://www.securityfocus.com/bid/32887
Upstream fixes: gpssmswatch was removed in: http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2204 src/splash.c was fixed via: http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2194 http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2195
http://cvs.fedoraproject.org/viewvc/rpms/gpsdrive/devel/gpsdrive-2.09-CVE-2008-5703.patch?view=co Checked into rawhide and built. Does that look ok? If so, I will push F9/F10 builds/updates.
gpsdrive-2.09-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
gpsdrive-2.09-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.