Launchpad has imported 8 comments from the remote bug at https://bugs.freedesktop.org/show_bug.cgi?id=33431.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2011-01-24T21:54:52+00:00 Kees Cook wrote: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation. ** (gypsy-daemon:23540): DEBUG: Creating client for /etc/shadow ** (gypsy-daemon:23540): DEBUG: Device name: shadow ** (gypsy-daemon:23540): DEBUG: Registered client on /org/freedesktop/Gypsy/shadow ** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow ** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow open("/etc/shadow", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 6 open("/etc/shadow", O_RDWR|O_NOCTTY|O_NONBLOCK) = 7 ** (gypsy-daemon:23540): DEBUG: GPS channel can connect There appear to be unchecked buffer overflows as well in gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in an attack. (If the local user attaches gypsy to a pseudo-tty they might be able to trick the string handling.) Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/3 ------------------------------------------------------------------------ On 2011-10-12T10:58:01+00:00 Bastien Nocera wrote: Created attachment 52255 security fix Patch by Michael Leibowitz, further modified by myself. Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/17 ------------------------------------------------------------------------ On 2011-10-12T11:17:12+00:00 Bastien Nocera wrote: Created attachment 52256 Fix buffer overflows in 0.8 codebase Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/18 ------------------------------------------------------------------------ On 2011-10-12T11:22:11+00:00 Bastien Nocera wrote: (In reply to comment #0) <snip> > There appear to be unchecked buffer overflows as well in > gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used > in > an attack. (If the local user attaches gypsy to a pseudo-tty they might be > able > to trick the string handling.) Note that this is only a problem in the 0.8 codebase, the latest master's parsing code is completely rewritten and doesn't use sprintf() anymore. Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/19 ------------------------------------------------------------------------ On 2011-10-12T14:36:26+00:00 2-iabn-7 wrote: Now that we have the discovery system in master, we could use that to only allow known device files to be connected to Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/20 ------------------------------------------------------------------------ On 2011-10-13T09:11:10+00:00 Bastien Nocera wrote: (In reply to comment #4) > Now that we have the discovery system in master, we could use that to only > allow known device files to be connected to That could be a second keyword for the conf file (bluetooth-known). Though I'd like to say that the current code will hide a lot of older Bluetooth GPS devices because they don't use the correct Class (the positioning device class was fairly recent). Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/21 ------------------------------------------------------------------------ On 2011-10-31T13:50:25+00:00 Bastien Nocera wrote: Could I get some review on those patches? Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/22 ------------------------------------------------------------------------ On 2012-04-16T15:39:22+00:00 Bastien Nocera wrote: Again, can I get a review on those patches, please? Reply at: https://bugs.launchpad.net/gypsy/+bug/690323/comments/44 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/690323 Title: gypsy opens arbitrary files, has unchecked buffer overflows To manage notifications about this bug go to: https://bugs.launchpad.net/gypsy/+bug/690323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
