Two vulnerabilities were reported [1],[2] in gypsy, a GPS multiplexing daemon. The first is that it reads arbitrary files as the root user on behalf of a regular user (CVE-2011-0523). The second is that there is a buffer overflow in nmea device input handling which could potentially lead to privilege escalation (CVE-2011-0524). Both issues have been reported upstream [3], however there has been no response (the Ubuntu bug indicates upstream was noticed 20101214 with no response. There is also a SUSE bug [4] with some further information. [1] http://article.gmane.org/gmane.comp.security.oss.general/4124 [2] https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 [3] https://bugs.freedesktop.org/show_bug.cgi?id=33431 [4] https://bugzilla.novell.com/show_bug.cgi?id=666839#c3
It also looks as though this software may be abandoned. There is no upstream activity since June 2010: http://cgit.freedesktop.org/gypsy/
Created gypsy tracking bugs for this issue Affects: fedora-all [bug 674131]
Upstream isn't abandoned but there's not a lot of churn. I'll poke upstream directly to get a response.
Many thanks for that, Peter.
Hi Peter, Any update on this from upstream?
I reported it on the meego bugzilla as I'd not got any response from the maintainers. https://bugs.meego.com/show_bug.cgi?id=14396 It seems there's a patch been added (only just saw it) but I'm not able to make a judgement on whether it fixes the problem. Quite happy to patch and push it in Fedora if someone can review and ACK it.
Peter, can you attach the patch to this bug? I tried to load up that bug and don't have an account there (so I suspect I won't have privileges if I go ahead and make one). You can make the attachment private (or email it to me directly perhaps). Thanks,
I've emailed it as I couldn't see how to set the attachment as private, only the entire bug.
Thanks, Peter. I've got it. I think that patch should be ok; might be nice to get it into Fedora and test it out if nothing else. The patch only addresses CVE-2011-0523 (the first issue) from what I can tell, and not the buffer overflow in nmea device handling. Has that been discussed upstream at all? I still see no activity in the upstream git -- do we know if this patch will land there?
Waiting on upstream to review the patches: https://bugs.freedesktop.org/show_bug.cgi?id=33431 Feel free to comment there about the patch itself, and I'll iterate.
Hi Bastien, do you have any update on this?
Created gypsy tracking bugs for this issue Affects: fedora-all [bug 822922]
Upstream is dead, It's been retired in F-24+