Comment 37 for bug 690323

https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323

Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation.

** (gypsy-daemon:23540): DEBUG: Creating client for /etc/shadow
** (gypsy-daemon:23540): DEBUG: Device name: shadow
** (gypsy-daemon:23540): DEBUG: Registered client on /org/freedesktop/Gypsy/shadow
** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow
** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow
open("/etc/shadow", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 6
open("/etc/shadow", O_RDWR|O_NOCTTY|O_NONBLOCK) = 7
** (gypsy-daemon:23540): DEBUG: GPS channel can connect

There appear to be unchecked buffer overflows as well in gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in an attack. (If the local user attaches gypsy to a pseudo-tty they might be able to trick the string handling.)