Bug 6808

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated gypsy packages fix security vulnerabilities:

Regular users can request that arbitrary files be opened for reading. In
the best case, this is a denial of service. Worst-case, this could lead to
information disclosure or privilege escalation (CVE-2011-0523).

Unchecked buffer overflows as well in gps_channel_garmin_input() via
nmeabuf and nmea_gpgsv(), which could be used in an attack (CVE-2011-0524).

Note: a new config file, /etc/gypsy.conf, has been added that specifies a
whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and
"bluetooth" (which matches Bluetooth addresses).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524
https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html
========================

Updated packages in core/updates_testing:
========================
gypsy-0.8-2.1.mga1
libgypsy0-0.8-2.1.mga1
gypsy-devel-0.8-2.1.mga1
gypsy-docs-0.8-2.1.mga1
gypsy-0.8-2.1.mga2
libgypsy0-0.8-2.1.mga2
gypsy-devel-0.8-2.1.mga2
gypsy-docs-0.8-2.1.mga2

from SRPMS:
gypsy-0.8-2.1.mga1.src.rpm
gypsy-0.8-2.1.mga2.src.rpm

Priority: Normal => Low
Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Severity: normal => major

As I don't have a gps device,  and apparently no-one else on the qa team
has one. I was writing a request for testers, for the general discussion
list, and was looking at how to test this.

As it only provides a dbus interface, I was looking for applications that
would use it.  No other rpm packages on Mageia 2 require gypsy, so I'm not
sure how to suggest testing it.

I have confirmed the above packages install cleanly on both arches in both
releases.

CC: (none) => davidwhodgins

I saw similar things looking at the discussions on the Novell and Ubuntu bugs for this, and I didn't see any indication that they were able to get it tested, so in the end they just pushed it to get the fixes out there.  It sounds like the code is really bad and ugly and probably full of other holes, and unmaintained to boot.  There was some discussion of dropping the package, but I don't know if they did or not.  Apparently there isn't much in the way of alternatives for people that use this.  It took some work to even get it to compile.

I'm going to go ahead and validate the update then.

Could someone from the sysadmin team push the srpm
gypsy-0.8-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
gypsy-0.8-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated gypsy packages fix security vulnerabilities:

Regular users can request that arbitrary files be opened for reading. In
the best case, this is a denial of service. Worst-case, this could lead to
information disclosure or privilege escalation (CVE-2011-0523).

Unchecked buffer overflows as well in gps_channel_garmin_input() via
nmeabuf and nmea_gpgsv(), which could be used in an attack (CVE-2011-0524).

Note: a new config file, /etc/gypsy.conf, has been added that specifies a
whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and
"bluetooth" (which matches Bluetooth addresses).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524
https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html

https://bugs.mageia.org/show_bug.cgi?id=6808

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0209

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED