[DebianGIS-dev] Bug#508597: gpsdriver: allows local users to overwrite arbitrary files via a symlink attack
Raphael Geissert
atomo64 at gmail.com
Fri Dec 12 22:27:07 UTC 2008
Package: gpsdrive
Version: 2.10~pre4-6.dfsg-1
Tags: security
Severity: important
Hi,
I have found three other attack vectors:
/usr/share/doc/gpsdrive/examples/gpssmswatch:
> FILE=/tmp/.smswatch
> while [ 1 = 1 ]
> do
> gnokii --getsms SM 1 > $FILE
> if [ $? = "0" ];then
> gnokii --deletesms SM 1
> fi
> grep PLSSENDPOS $FILE
> if [ $? = "0" ];then
> echo -e "position request found\n"
> NUMBER=`grep Sender /tmp/.smswatch|awk '{print $2}'`
> killall -USR1 gpsdrive
>
> echo "sending "
> cat /tmp/gpsdrivepos
> echo -e "to number $NUMBER\n"
> gnokii --sendsms $NUMBER < /tmp/gpsdrivepos
src/splash.c
> f = fopen ("/tmp/gpsdrivepos", "w");
> if (f == NULL)
> {
> perror ("/tmp/gpsdrivepos");
> return;
> }
> time (&t);
> ts = localtime (&t);
> fprintf (f, asctime (ts));
> fprintf (f, "POS %f %f\n", coords.current_lat, coords.current_lon);
> fclose (f);
src/unit_test.c:
> g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test");
> g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test/proc");
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20081212/8ea4d1d2/attachment.pgp
More information about the Pkg-grass-devel
mailing list