Fedora has issued an advisory on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NPBGYNXS2TXDAYUNJV3HHJKVOBHP45B4/ The issue might already be fixed in the version we have in Cauldron, but Mageia 6 would still be affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing daviddavid.
QA Contact: (none) => securityAssignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11Component: RPM Packages => Security
Fixed now for mga6!
Thanks! Did you verify that it's already fixed in Cauldron? gpsd-3.16-2.2.mga6 libgpsd22-3.16-2.2.mga6 libQgpsmm22-3.16-2.2.mga6 libgpsd-devel-3.16-2.2.mga6 gpsd-clients-3.16-2.2.mga6 python-gpsd-3.16-2.2.mga6 from gpsd-3.16-2.2.mga6
Yes of course and since release 3.18 this CVE has been fixed!
Advisory: ======================== Updated gpsd packages fix security vulnerability: A stack-based buffer overflow flaw was found in gpsd versions 2.90 to 3.17. Successful exploitation of this vulnerability could allow remote code execution, data exfiltration, or denial-of service via device crash (CVE-2018-17937). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17937 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NPBGYNXS2TXDAYUNJV3HHJKVOBHP45B4/
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: pkg-bugs => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. I don't have a separate GPS, so limited testing. At CLI: # systemctl -l status gpsd ● gpsd.service - GPS (Global Positioning System) Daemon Loaded: loaded (/usr/lib/systemd/system/gpsd.service; enabled; vendor preset: enabled) Active: inactive (dead) # systemctl start gpsd # systemctl -l status gpsd ● gpsd.service - GPS (Global Positioning System) Daemon Loaded: loaded (/usr/lib/systemd/system/gpsd.service; enabled; vendor preset: enabled) Active: active (running) since zo 2019-03-17 10:05:54 CET; 2s ago Main PID: 7068 (gpsd) CGroup: /system.slice/gpsd.service └─7068 /usr/sbin/gpsd -N -n mrt 17 10:05:54 mach6.hviaene.thuis systemd[1]: Started GPS (Global Positioning System) Daemon. Further $ gpsctl gpsctl:ERROR: no devices connected. $ xgps Loads viewer OK As far as I can see, all good. Wait for a better equipped tester to finally OK this update.
CC: (none) => herman.viaene
Advisory committed to svn. Adding ok based on comment 6 Validating the update.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0150.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED