OpenSuSE has issued an advisory today (July 17): http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html Mageia 1 and Mageia 2 are also affected. Patches are available in the OpenSuSE package.
CC: (none) => dmorganecWhiteboard: (none) => MGA2TOO, MGA1TOO
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated gypsy packages fix security vulnerabilities: Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation (CVE-2011-0523). Unchecked buffer overflows as well in gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in an attack (CVE-2011-0524). Note: a new config file, /etc/gypsy.conf, has been added that specifies a whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and "bluetooth" (which matches Bluetooth addresses). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524 https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html ======================== Updated packages in core/updates_testing: ======================== gypsy-0.8-2.1.mga1 libgypsy0-0.8-2.1.mga1 gypsy-devel-0.8-2.1.mga1 gypsy-docs-0.8-2.1.mga1 gypsy-0.8-2.1.mga2 libgypsy0-0.8-2.1.mga2 gypsy-devel-0.8-2.1.mga2 gypsy-docs-0.8-2.1.mga2 from SRPMS: gypsy-0.8-2.1.mga1.src.rpm gypsy-0.8-2.1.mga2.src.rpm
Priority: Normal => LowVersion: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOOSeverity: normal => major
As I don't have a gps device, and apparently no-one else on the qa team has one. I was writing a request for testers, for the general discussion list, and was looking at how to test this. As it only provides a dbus interface, I was looking for applications that would use it. No other rpm packages on Mageia 2 require gypsy, so I'm not sure how to suggest testing it. I have confirmed the above packages install cleanly on both arches in both releases.
CC: (none) => davidwhodgins
I saw similar things looking at the discussions on the Novell and Ubuntu bugs for this, and I didn't see any indication that they were able to get it tested, so in the end they just pushed it to get the fixes out there. It sounds like the code is really bad and ugly and probably full of other holes, and unmaintained to boot. There was some discussion of dropping the package, but I don't know if they did or not. Apparently there isn't much in the way of alternatives for people that use this. It took some work to even get it to compile.
I'm going to go ahead and validate the update then. Could someone from the sysadmin team push the srpm gypsy-0.8-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm gypsy-0.8-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated gypsy packages fix security vulnerabilities: Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation (CVE-2011-0523). Unchecked buffer overflows as well in gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in an attack (CVE-2011-0524). Note: a new config file, /etc/gypsy.conf, has been added that specifies a whitelist of globs. By default, they are "/dev/tty*", "/dev/pgps", and "bluetooth" (which matches Bluetooth addresses). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0524 https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323 http://lists.opensuse.org/opensuse-updates/2012-07/msg00034.html https://bugs.mageia.org/show_bug.cgi?id=6808
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0209
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED