[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ✘gpsd release coming
From: |
Bernd Zeimetz |
Subject: |
Re: ✘gpsd release coming |
Date: |
Tue, 4 Aug 2020 19:08:51 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 |
On 8/4/20 6:33 PM, Gary E. Miller wrote:
> The algo is:
>
> Check in GPSD_HOME
>
> Check in current working directory
This is a security risks, unless you add at least some extra
measurements by checking if at least the owner is the same user as the
one who is running the process at the moment.
I think I've mentioned it before that loading things from the cwd is a
bad bad idea in general.
What you could do is to use the directory of the binary/script you are
running.
Otherwise some evil guy could talk root into runinng gpscat or whatever
in /tmp, while having an enhanced libgpsdpacket lying around there.
Such things are worth a cve.
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
- Re: ✘gpsd release coming, (continued)
- Re: ✘gpsd release coming, Fred Wright, 2020/08/03
- Re: ✘gpsd release coming, Gary E. Miller, 2020/08/03
- Re: ✘gpsd release coming, Fred Wright, 2020/08/03
- Re: ✘gpsd release coming, Gary E. Miller, 2020/08/04
- Re: ✘gpsd release coming, Greg Troxel, 2020/08/04
- Re: ✘gpsd release coming, Gary E. Miller, 2020/08/04
- Re: ✘gpsd release coming, Greg Troxel, 2020/08/04
- Re: ✘gpsd release coming, Gary E. Miller, 2020/08/04
- Re: ✘gpsd release coming, Bernd Zeimetz, 2020/08/04
- Re: ✘gpsd release coming, Gary E. Miller, 2020/08/04
- Re: ✘gpsd release coming,
Bernd Zeimetz <=
- Re: ✘gpsd release coming, Gary E. Miller, 2020/08/04
- ✘gpsd release today, Gary E. Miller, 2020/08/04
- Re: ✘gpsd release today, Bernd Zeimetz, 2020/08/04
- Re: ✘gpsd release today, Gary E. Miller, 2020/08/04
- ✘gpsd 3.21 is released, Gary E. Miller, 2020/08/04