gypsy opens arbitrary files, has unchecked buffer overflows

https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323

Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation.

** (gypsy-daemon:23540): DEBUG: Creating client for /etc/shadow
** (gypsy-daemon:23540): DEBUG: Device name: shadow
** (gypsy-daemon:23540): DEBUG: Registered client on /org/freedesktop/Gypsy/shadow
** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow
** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow
open("/etc/shadow", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 6
open("/etc/shadow", O_RDWR|O_NOCTTY|O_NONBLOCK) = 7
** (gypsy-daemon:23540): DEBUG: GPS channel can connect

There appear to be unchecked buffer overflows as well in gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in an attack. (If the local user attaches gypsy to a pseudo-tty they might be able to trick the string handling.)

Via oss-sec:

Date: Mon, 24 Jan 2011 13:57:11 -0800
From: Kees Cook
To: oss-security

Hello,

I'd like to get CVEs assigned for two issues in Gypsy[1]:

reads arbitrary files as root user on behalf of regular user
https://bugs.freedesktop.org/show_bug.cgi?id=33431

buffer overflow in nmea device input handling
https://bugs.freedesktop.org/show_bug.cgi?id=33431

Thanks,

-Kees

[1] http://gypsy.freedesktop.org/wiki/

Via oss-sec:

I'm giving these 2011 IDs. None of the information was public in 2010.

----- Original Message -----
> Hello,
>
> I'd like to get CVEs assigned for two issues in Gypsy[1]:
>
> reads arbitrary files as root user on behalf of regular user
> https://bugs.freedesktop.org/show_bug.cgi?id=33431

Use CVE-2011-0523.

>
> buffer overflow in nmea device input handling
> https://bugs.freedesktop.org/show_bug.cgi?id=33431
>

Use CVE-2011-0524.

Thanks.

--
    JB

has anyone seen patches floating around for these.
upstream does not look too alive and no-one else has touched the package yet

the whole program has code like this in countless places:

        char nmeabuf[256];
        nmea_foobar(foo, nmeabuf);

nmea_foobar(foo2* foo, char* bar)
{
           char buf[256];

           sprintf(buf, ....);

           unsigned char cksum = nmea_cksum(buf);

           sprintf(bar, "$%s*%02X\r\n", buf, cksum);
}

so at least we'd have to make buf a few bytes smaller to have a chance,
but I guess that does not even completely fix one of the two issues

WOW: this is gross:

gypsy-client.c line 653:

        /* Open a connection to our device */
        /* we assume that a device path starting with slash is a tty device */
        if (priv->device_path[0] == '/') {

how do we continue here ?

This doesnt look good and it seems there are more
problems than what has been reported.
Is it an important package?

"gps multiplexing daemon" to let multiple clients access gps devices.

does not really sound too common.

I did not even know I was assigned to this package, had never touched it before.

Vincent, you're the only one listed in the changelog of this package, can you
comment on the importance of this package ?

It's not an essential package, but without it, only one app can access to a gps device, which is an issue if many apps are doing geolocation -- it's starting to become common.

If we consider dropping the package, I guess some review to know what else is wrong would be nice, so that upstream can go ahead and fix things.

in https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
the reporter says this was reported to upstream on December 14th
but he never heard back (there have not been any code changes in this
project since last June)

Two vulnerabilities were reported [1],[2] in gypsy, a GPS multiplexing daemon.

The first is that it reads arbitrary files as the root user on behalf of a regular user (CVE-2011-0523). The second is that there is a buffer overflow in nmea device input handling which could potentially lead to privilege escalation (CVE-2011-0524). Both issues have been reported upstream [3], however there has been no response (the Ubuntu bug indicates upstream was noticed 20101214 with no response. There is also a SUSE bug [4] with some further information.

[1] http://article.gmane.org/gmane.comp.security.oss.general/4124
[2] https://bugs.launchpad.net/ubuntu/+source/gypsy/+bug/690323
[3] https://bugs.freedesktop.org/show_bug.cgi?id=33431
[4] https://bugzilla.novell.com/show_bug.cgi?id=666839#c3

It also looks as though this software may be abandoned. There is no upstream activity since June 2010: http://cgit.freedesktop.org/gypsy/

Created gypsy tracking bugs for this issue

Affects: fedora-all [bug 674131]

Upstream isn't abandoned but there's not a lot of churn. I'll poke upstream directly to get a response.

Many thanks for that, Peter.

Unlikely to be used on multi-user machines. Let's ignore it and when upstream fixed it we will have it in Factory.

I disagree. That thing runs as root and I bet it's nowhere documented that it opens gaping security holes.

p5->p3 mass change

maybe policykit can be of use here for a non-intrusive change.
Define two actions "device-open" and "device-change". The former could be granted to local, active sessions by default. The latter should be auth_admin. By starting with no device defined the daemon would require admin auth once to set the initial device. The daemon stores the device name in a config file. As long as the user requests to open only that device the "device-open" action would be granted. If the user changes the device the "device-change" action requires admin auth again. That way overly paranoid checks at device open time are not needed.

Hi Peter,

Any update on this from upstream?

I reported it on the meego bugzilla as I'd not got any response from the maintainers. https://bugs.meego.com/show_bug.cgi?id=14396

It seems there's a patch been added (only just saw it) but I'm not able to make a judgement on whether it fixes the problem. Quite happy to patch and push it in Fedora if someone can review and ACK it.

Peter, can you attach the patch to this bug? I tried to load up that bug and don't have an account there (so I suspect I won't have privileges if I go ahead and make one). You can make the attachment private (or email it to me directly perhaps).

Thanks,

I've emailed it as I couldn't see how to set the attachment as private, only the entire bug.

Thanks, Peter. I've got it. I think that patch should be ok; might be nice to get it into Fedora and test it out if nothing else. The patch only addresses CVE-2011-0523 (the first issue) from what I can tell, and not the buffer overflow in nmea device handling. Has that been discussed upstream at all?

I still see no activity in the upstream git -- do we know if this patch will land there?

Created attachment 52255
security fix

Patch by Michael Leibowitz, further modified by myself.

Created attachment 52256
Fix buffer overflows in 0.8 codebase

Waiting on upstream to review the patches:
https://bugs.freedesktop.org/show_bug.cgi?id=33431

Feel free to comment there about the patch itself, and I'll iterate.

(In reply to comment #0)
<snip>
> There appear to be unchecked buffer overflows as well in
> gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in
> an attack. (If the local user attaches gypsy to a pseudo-tty they might be able
> to trick the string handling.)

Note that this is only a problem in the 0.8 codebase, the latest master's parsing code is completely rewritten and doesn't use sprintf() anymore.

Now that we have the discovery system in master, we could use that to only allow known device files to be connected to

(In reply to comment #4)
> Now that we have the discovery system in master, we could use that to only
> allow known device files to be connected to

That could be a second keyword for the conf file (bluetooth-known). Though I'd like to say that the current code will hide a lot of older Bluetooth GPS devices because they don't use the correct Class (the positioning device class was fairly recent).

Could I get some review on those patches?

There are patches in the upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=33431

They look okay to me, but haven't been reviewed by upstream maintainer yet. Do we want to just go ahead with the patches?

Please go ahead. The glob restrictions are not really a good solution though as it still allows users to specify devices that they problably shouldn't because there's other hardware connected (or a vt in case of e.g. /dev/tty1).

Hi Bastien, do you have any update on this?

Again, can I get a review on those patches, please?

Buffer overflow fixes look fine to me.

I still prefer that udev or something is used to set permissions on devices and that this daemon run as a non-root user. The whitelist is better than nothing, but it'd be nice to see this not running as root at all.

Have committed the first patch.
The second patch no longer applies to the codebase as the whole NMEA parser system has been removed and there isn't a 0.8 branch to apply it to.

Created gypsy tracking bugs for this issue

Affects: fedora-all [bug 822922]

Submitted for 11.4/12.1/12.2 in mr#127426. Submitted for Factory in sr#127428

This is an autogenerated message for OBS integration:
This bug (666839) was mentioned in
https://build.opensuse.org/request/show/127428 Factory / gypsy

done

openSUSE-SU-2012:0884-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 666839
CVE References: CVE-2011-0523,CVE-2011-0524
Sources used:
openSUSE 12.1 (src): gypsy-0.8-7.4.1
openSUSE 11.4 (src): gypsy-0.8-5.1

This is an autogenerated message for OBS integration:
This bug (666839) was mentioned in
https://build.opensuse.org/request/show/129672 Evergreen:11.2 / gypsy

Upstream is dead, It's been retired in F-24+