Bug 24506

Summary: gpsd new security issue CVE-2018-17937
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: gpsd-3.18.1-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-03-13 19:19:53 CET 
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NPBGYNXS2TXDAYUNJV3HHJKVOBHP45B4/

The issue might already be fixed in the version we have in Cauldron, but Mageia 6 would still be affected.
David Walser 2019-03-13 19:20:00 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-03-14 16:25:50 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing daviddavid.

QA Contact: (none) => security
Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11
Component: RPM Packages => Security

Comment 2 David GEIGER 2019-03-14 17:19:10 CET 
Fixed now for mga6!
Comment 3 David Walser 2019-03-14 17:57:22 CET 
Thanks!  Did you verify that it's already fixed in Cauldron?

gpsd-3.16-2.2.mga6
libgpsd22-3.16-2.2.mga6
libQgpsmm22-3.16-2.2.mga6
libgpsd-devel-3.16-2.2.mga6
gpsd-clients-3.16-2.2.mga6
python-gpsd-3.16-2.2.mga6

from gpsd-3.16-2.2.mga6
Comment 4 David GEIGER 2019-03-14 18:05:27 CET 
Yes of course and since release 3.18 this CVE has been fixed!
Comment 5 David Walser 2019-03-16 16:44:39 CET 
Advisory:
========================

Updated gpsd packages fix security vulnerability:

A stack-based buffer overflow flaw was found in gpsd versions 2.90 to 3.17.
Successful exploitation of this vulnerability could allow remote code
execution, data exfiltration, or denial-of service via device crash
(CVE-2018-17937).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17937
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NPBGYNXS2TXDAYUNJV3HHJKVOBHP45B4/

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs

Comment 6 Herman Viaene 2019-03-17 10:32:32 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
I don't have a separate GPS, so limited testing.
At CLI:
# systemctl -l status gpsd
● gpsd.service - GPS (Global Positioning System) Daemon
   Loaded: loaded (/usr/lib/systemd/system/gpsd.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
# systemctl  start gpsd
# systemctl -l status gpsd
● gpsd.service - GPS (Global Positioning System) Daemon
   Loaded: loaded (/usr/lib/systemd/system/gpsd.service; enabled; vendor preset: enabled)
   Active: active (running) since zo 2019-03-17 10:05:54 CET; 2s ago
 Main PID: 7068 (gpsd)
   CGroup: /system.slice/gpsd.service
           └─7068 /usr/sbin/gpsd -N -n

mrt 17 10:05:54 mach6.hviaene.thuis systemd[1]: Started GPS (Global Positioning System) Daemon.

Further

$ gpsctl 
gpsctl:ERROR: no devices connected.

$ xgps
Loads viewer OK

As far as I can see, all good. Wait for a better equipped tester to finally OK this update.

CC: (none) => herman.viaene

Comment 7 Dave Hodgins 2019-04-10 23:43:24 CEST 
Advisory committed to svn.
Adding ok based on comment 6
Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2019-04-11 00:47:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0150.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED