gpsd-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ✘gpsd release coming


From: Bernd Zeimetz
Subject: Re: ✘gpsd release coming
Date: Tue, 4 Aug 2020 19:08:51 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0


On 8/4/20 6:33 PM, Gary E. Miller wrote:
> The algo is:
> 
> Check in GPSD_HOME
> 
> Check in current working directory

This is a security risks, unless you add at least some extra
measurements by checking if at least the owner is the same user as the
one who is running the process at the moment.

I think I've mentioned it before that loading things from the cwd is a
bad bad idea in general.
What you could do is to use the directory of the binary/script you are
running.

Otherwise some evil guy could talk root into runinng gpscat or whatever
in /tmp, while having an enhanced libgpsdpacket lying around there.

Such things are worth a cve.


Bernd

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F



reply via email to

[Prev in Thread] Current Thread [Next in Thread]