Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation.
** (gypsy-daemon:23540): DEBUG: Creating client for /etc/shadow
** (gypsy-daemon:23540): DEBUG: Device name: shadow
** (gypsy-daemon:23540): DEBUG: Registered client on /org/freedesktop/Gypsy/shadow
** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow
** (gypsy-daemon:23540): DEBUG: Starting connection to /etc/shadow
open("/etc/shadow", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 6
open("/etc/shadow", O_RDWR|O_NOCTTY|O_NONBLOCK) = 7
** (gypsy-daemon:23540): DEBUG: GPS channel can connect
There appear to be unchecked buffer overflows as well in gps_channel_garmin_input() via nmeabuf and nmea_gpgsv(), which could be used in an attack. (If the local user attaches gypsy to a pseudo-tty they might be able to trick the string handling.)
https:/ /bugs.launchpad .net/ubuntu/ +source/ gypsy/+ bug/690323
Regular users can request that arbitrary files be opened for reading. In the best case, this is a denial of service. Worst-case, this could lead to information disclosure or privilege escalation.
** (gypsy- daemon: 23540): DEBUG: Creating client for /etc/shadow daemon: 23540): DEBUG: Device name: shadow daemon: 23540): DEBUG: Registered client on /org/freedeskto p/Gypsy/ shadow daemon: 23540): DEBUG: Starting connection to /etc/shadow daemon: 23540): DEBUG: Starting connection to /etc/shadow O_NOCTTY| O_NONBLOCK) = 6 O_NOCTTY| O_NONBLOCK) = 7 daemon: 23540): DEBUG: GPS channel can connect
** (gypsy-
** (gypsy-
** (gypsy-
** (gypsy-
open("/etc/shadow", O_RDONLY|
open("/etc/shadow", O_RDWR|
** (gypsy-
There appear to be unchecked buffer overflows as well in gps_channel_ garmin_ input() via nmeabuf and nmea_gpgsv(), which could be used in an attack. (If the local user attaches gypsy to a pseudo-tty they might be able to trick the string handling.)