CVE-2008-5704
published 2008-12-22CVE-2008-5704: src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the…
PriorityP428high7.6CVSS 2.0
AVNACHAuNCCICAC
EPSS
1.19%
63.9th percentile
src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gpsdrive | gpsdrive | <= 2.10 | — |
| gpsdrive | gpsdrive | — | — |
| gpsdrive | gpsdrive | — | — |
| gpsdrive | gpsdrive | — | — |
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xq2x-gx2h-74r3: src/unit_test
ghsa_unreviewed·2022-05-17·CVSS 6.9
CVE-2008-5704 [MEDIUM] CWE-59 GHSA-xq2x-gx2h-74r3: src/unit_test
src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380.
Red Hat
gpsdrive: insecure temporary file use in unit_test.c
vendor_redhat·CVSS 6.9
CVE-2008-5704 [MEDIUM] CWE-377 gpsdrive: insecure temporary file use in unit_test.c
gpsdrive: insecure temporary file use in unit_test.c
src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-5704 gpsdrive: insecure temporary file use in unit_test.c
bugzilla·2009-01-27·CVSS 6.9
CVE-2008-5704 [MEDIUM] CVE-2008-5704 gpsdrive: insecure temporary file use in unit_test.c
CVE-2008-5704 gpsdrive: insecure temporary file use in unit_test.c
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5704 to the following vulnerability:
src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local
users to overwrite arbitrary files via a symlink attack on the
/tmp/gpsdrive-unit-test/proc temporary file, a different vector than
CVE-2008-4959 and CVE-2008-5380.
References:
http://openwall.com/lists/oss-security/2008/12/17/15
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508597
Discussion:
Modified upstream to create temporary directory using mkdtemp:
http://gpsdrive.svn.sourceforge.net/viewvc/gpsdrive?view=rev&revision=2236
---
We don't ship the 2.10* versions anywhere yet. ;)
We only have 2.09.
So, I assume we can just close
Bugzilla
CVE-2008-4959 gpsdrive: geo-code insecure temporary file use
bugzilla·2008-11-06·CVSS 6.9
CVE-2008-4959 [MEDIUM] CVE-2008-4959 gpsdrive: geo-code insecure temporary file use
CVE-2008-4959 gpsdrive: geo-code insecure temporary file use
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4959 to the following vulnerability:
geo-code in gpsdrive-scripts 2.10~pre4 allows local users to overwrite
arbitrary files via a symlink attack on (1) /tmp/geo.google, (2)
/tmp/geo.yahoo, (3) /tmp/geo.coords, and (4) /tmp/geo#####.coords
temporary files.
References:
http://bugs.debian.org/496436
http://dev.gentoo.org/~rbu/security/debiantemp/gpsdrive-scripts
https://bugs.gentoo.org/show_bug.cgi?id=235770
http://www.openwall.com/lists/oss-security/2008/10/30/2
Discussion:
Created attachment 322708
Patch used by Debian
Attached is the patch that was used by Debian gpsdrive maintainer. It is not the same as originally proposed one linked in the Debian bug:
h
2008-12-22
Published