[DebianGIS-dev] Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack

[Raphael Geissert]

Package: gpsdrive
Version: 2.10~pre4-6.dfsg-1
Tags: security
Severity: important

Hi,

I have found three other attack vectors:

/usr/share/doc/gpsdrive/examples/gpssmswatch:
> FILE=/tmp/.smswatch
> while [ 1 = 1 ]
> do
> gnokii --getsms SM 1 > $FILE
> if [ $? = "0" ];then
> gnokii --deletesms SM 1
> fi
> grep PLSSENDPOS $FILE
> if [ $? = "0" ];then
> echo -e "position request found\n"
> NUMBER=`grep Sender /tmp/.smswatch|awk '{print $2}'`
> killall -USR1 gpsdrive
>
> echo "sending "
> cat /tmp/gpsdrivepos
> echo -e "to number $NUMBER\n"
> gnokii --sendsms $NUMBER < /tmp/gpsdrivepos

src/splash.c
>         f = fopen ("/tmp/gpsdrivepos", "w");
>         if (f == NULL)
>         {
>                 perror ("/tmp/gpsdrivepos");
>                 return;
>         }
>         time (&t);
>         ts = localtime (&t);
>         fprintf (f, asctime (ts));
>         fprintf (f, "POS %f %f\n", coords.current_lat, coords.current_lon);
>         fclose (f);

src/unit_test.c:
> g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test");
> g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test/proc");

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20081212/8ea4d1d2/attachment.pgp