Launchpad has imported 14 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=674129.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2011-01-31T18:04:37+00:00 Vincent wrote: Two vulnerabilities were reported [1],[2] in gypsy, a GPS multiplexing daemon. The first is that it reads arbitrary files as the root user on behalf of a regular user (CVE-2011-0523). The second is that there is a buffer overflow in nmea device input handling which could potentially lead to privilege escalation (CVE-2011-0524). Both issues have been reported upstream [3], however there has been no response (the Ubuntu bug indicates upstream was noticed 20101214 with no response. There is also a SUSE bug [4] with some further information. [1] http://article.gmane.org/gmane.comp.security.oss.general/4124 [2] https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 [3] https://bugs.freedesktop.org/show_bug.cgi?id=33431 [4] https://bugzilla.novell.com/show_bug.cgi?id=666839#c3 Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/13 ------------------------------------------------------------------------ On 2011-01-31T18:08:01+00:00 Vincent wrote: It also looks as though this software may be abandoned. There is no upstream activity since June 2010: http://cgit.freedesktop.org/gypsy/ Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/14 ------------------------------------------------------------------------ On 2011-01-31T18:08:38+00:00 Vincent wrote: Created gypsy tracking bugs for this issue Affects: fedora-all [bug 674131] Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/15 ------------------------------------------------------------------------ On 2011-01-31T18:13:18+00:00 Peter wrote: Upstream isn't abandoned but there's not a lot of churn. I'll poke upstream directly to get a response. Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/16 ------------------------------------------------------------------------ On 2011-01-31T18:30:52+00:00 Vincent wrote: Many thanks for that, Peter. Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/17 ------------------------------------------------------------------------ On 2011-04-07T19:33:53+00:00 Josh wrote: Hi Peter, Any update on this from upstream? Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/22 ------------------------------------------------------------------------ On 2011-04-08T08:20:31+00:00 Peter wrote: I reported it on the meego bugzilla as I'd not got any response from the maintainers. https://bugs.meego.com/show_bug.cgi?id=14396 It seems there's a patch been added (only just saw it) but I'm not able to make a judgement on whether it fixes the problem. Quite happy to patch and push it in Fedora if someone can review and ACK it. Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/23 ------------------------------------------------------------------------ On 2011-04-28T21:31:58+00:00 Vincent wrote: Peter, can you attach the patch to this bug? I tried to load up that bug and don't have an account there (so I suspect I won't have privileges if I go ahead and make one). You can make the attachment private (or email it to me directly perhaps). Thanks, Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/24 ------------------------------------------------------------------------ On 2011-04-28T22:26:51+00:00 Peter wrote: I've emailed it as I couldn't see how to set the attachment as private, only the entire bug. Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/25 ------------------------------------------------------------------------ On 2011-04-28T23:35:37+00:00 Vincent wrote: Thanks, Peter. I've got it. I think that patch should be ok; might be nice to get it into Fedora and test it out if nothing else. The patch only addresses CVE-2011-0523 (the first issue) from what I can tell, and not the buffer overflow in nmea device handling. Has that been discussed upstream at all? I still see no activity in the upstream git -- do we know if this patch will land there? Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/26 ------------------------------------------------------------------------ On 2011-10-12T11:21:02+00:00 Bastien wrote: Waiting on upstream to review the patches: https://bugs.freedesktop.org/show_bug.cgi?id=33431 Feel free to comment there about the patch itself, and I'll iterate. Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/29 ------------------------------------------------------------------------ On 2012-01-24T14:56:05+00:00 Ramon wrote: Hi Bastien, do you have any update on this? Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/36 ------------------------------------------------------------------------ On 2012-05-18T14:02:01+00:00 Stefan wrote: Created gypsy tracking bugs for this issue Affects: fedora-all [bug 822922] Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/59 ------------------------------------------------------------------------ On 2016-03-10T19:55:26+00:00 Peter wrote: Upstream is dead, It's been retired in F-24+ Reply at: https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323/comments/65 ** Changed in: gypsy (Fedora) Status: Unknown => Invalid ** Changed in: gypsy (Fedora) Importance: Unknown => Medium ** Bug watch added: Meego #14396 http://bugs.meego.com/show_bug.cgi?id=14396 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/690323 Title: gypsy opens arbitrary files, has unchecked buffer overflows To manage notifications about this bug go to: https://bugs.launchpad.net/gypsy/+bug/690323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
