Bug 6808 - gypsy new security issues CVE-2011-0523 and CVE-2011-0524
: gypsy new security issues CVE-2011-0523 and CVE-2011-0524
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Low Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/507089/
: MGA1TOO
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-18 00:07 CEST by David Walser
Modified: 2012-08-12 20:34 CEST (History)
4 users (show)

See Also:
Source RPM: gypsy-0.8-2.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-18 00:07:00 CEST
OpenSuSE has issued an advisory today (July 17):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html

Mageia 1 and Mageia 2 are also affected.

Patches are available in the OpenSuSE package.
Comment 1 David Walser 2012-08-08 23:43:48 CEST
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated gypsy packages fix security vulnerabilities:

Regular users can request that arbitrary files be opened for reading. In
the best case, this is a denial of service. Worst-case, this could lead to
information disclosure or privilege escalation (CVE-2011-0523).

Unchecked buffer overflows as well in gps_channel_garmin_input() via
nmeabuf and nmea_gpgsv(), which could be used in an attack (CVE-2011-0524).

Note: a new config file, /etc/gypsy.conf, has been added that specifies a
whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and
"bluetooth" (which matches Bluetooth addresses).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524
https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html
========================

Updated packages in core/updates_testing:
========================
gypsy-0.8-2.1.mga1
libgypsy0-0.8-2.1.mga1
gypsy-devel-0.8-2.1.mga1
gypsy-docs-0.8-2.1.mga1
gypsy-0.8-2.1.mga2
libgypsy0-0.8-2.1.mga2
gypsy-devel-0.8-2.1.mga2
gypsy-docs-0.8-2.1.mga2

from SRPMS:
gypsy-0.8-2.1.mga1.src.rpm
gypsy-0.8-2.1.mga2.src.rpm
Comment 2 Dave Hodgins 2012-08-11 22:58:12 CEST
As I don't have a gps device,  and apparently no-one else on the qa team
has one. I was writing a request for testers, for the general discussion
list, and was looking at how to test this.

As it only provides a dbus interface, I was looking for applications that
would use it.  No other rpm packages on Mageia 2 require gypsy, so I'm not
sure how to suggest testing it.

I have confirmed the above packages install cleanly on both arches in both
releases.
Comment 3 David Walser 2012-08-11 23:01:48 CEST
I saw similar things looking at the discussions on the Novell and Ubuntu bugs for this, and I didn't see any indication that they were able to get it tested, so in the end they just pushed it to get the fixes out there.  It sounds like the code is really bad and ugly and probably full of other holes, and unmaintained to boot.  There was some discussion of dropping the package, but I don't know if they did or not.  Apparently there isn't much in the way of alternatives for people that use this.  It took some work to even get it to compile.
Comment 4 Dave Hodgins 2012-08-11 23:12:16 CEST
I'm going to go ahead and validate the update then.

Could someone from the sysadmin team push the srpm
gypsy-0.8-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
gypsy-0.8-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated gypsy packages fix security vulnerabilities:

Regular users can request that arbitrary files be opened for reading. In
the best case, this is a denial of service. Worst-case, this could lead to
information disclosure or privilege escalation (CVE-2011-0523).

Unchecked buffer overflows as well in gps_channel_garmin_input() via
nmeabuf and nmea_gpgsv(), which could be used in an attack (CVE-2011-0524).

Note: a new config file, /etc/gypsy.conf, has been added that specifies a
whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and
"bluetooth" (which matches Bluetooth addresses).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524
https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html

https://bugs.mageia.org/show_bug.cgi?id=6808
Comment 5 Thomas Backlund 2012-08-12 20:34:52 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0209

Note You need to log in before you can comment on or make changes to this bug.