Bug 34959 - gpsd new security issues CVE-2025-6726[89]
Summary: gpsd new security issues CVE-2025-6726[89]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-01-09 15:21 CET by Nicolas Salguero
Modified: 2026-01-30 01:40 CET (History)
3 users (show)

See Also:
Source RPM: gpsd-3.25-1.mga9.src.rpm
CVE: CVE-2025-67268, CVE-2025-67269
Status comment:
andrewsfarm: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-09 15:21:02 CET 
Ubuntu has issued an advisory on January 8:
https://ubuntu.com/security/notices/USN-7948-1
Nicolas Salguero 2026-01-09 15:21:50 CET

Status comment: (none) => Patches available from upstream and Ubuntu
Source RPM: (none) => gpsd-3.25-1.mga9.src.rpm
CVE: (none) => CVE-2025-67268, CVE-2025-67269

Comment 1 Nicolas Salguero 2026-01-09 15:22:22 CET 
Those issues are fixed in 3.27.1 so Cauldron is not affected.
Comment 2 Nicolas Salguero 2026-01-09 15:37:11 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. (CVE-2025-67268)

An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. (CVE-2025-67269)

References:
https://ubuntu.com/security/notices/USN-7948-1
========================

Updated packages in core/updates_testing:
========================
gpsd-3.25-1.1.mga9
gpsd-clients-3.25-1.1.mga9
lib(64)Qgpsmm30-3.25-1.1.mga9
lib(64)gpsd30-3.25-1.1.mga9
lib(64)gpsd-devel-3.25-1.1.mga9
lib(64)gpsdpacket30-3.25-1.1.mga9
python3-gpsd-3.25-1.1.mga9

from SRPM:
gpsd-3.25-1.1.mga9.src.rpm

Status comment: Patches available from upstream and Ubuntu => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

katnatek 2026-01-09 22:40:54 CET

Keywords: (none) => advisory

Comment 3 Len Lawrence 2026-01-10 19:51:47 CET 
Mageia 9 x86_64

Installed this via qarepo.  No problems there but without a GPS device this cannot be tested properly here.

All that can be done is start the gpsd daemon and run xgps.
That brings up the satellite list (empty) together with a blank sky view and various GPS data: n/a.

OK as far as it goes.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2026-01-10 20:28:47 CET 
An addendum to comment 3.  The service can be activated as a socket:
$ sudo systemctl start gpsd.socket
$ sudo systemctl status gpsd.socket
● gpsd.socket - GPS (Global Positioning System) Daemon Sockets
     Loaded: loaded (/usr/lib/systemd/system/gpsd.socket; disabled; preset: ena>
     Active: active (running) since Sat 2026-01-10 18:41:04 GMT; 41min ago
   Triggers: ● gpsd.service
     Listen: /run/gpsd.sock (Stream)
             [::1]:2947 (Stream)
             127.0.0.1:2947 (Stream)
      Tasks: 0 (limit: 37704)
     Memory: 12.0K
        CPU: 2ms
     CGroup: /system.slice/gpsd.socket

Jan 10 18:41:04 rutilicus systemd[1]: Listening on gpsd.socket.
Comment 5 Thomas Andrews 2026-01-29 20:56:17 CET 
I had forgotten that I bought a gps dongle to use for testing Bug 29322. Once I was reminded, I stirred around in my desk drawer and came up with the unit.

First I tried plugging it directly into my desktop usb port, and ran xgps. Results were disappointing. It could "see" 3 or 4 satellites, but not well enough to "use" any of them.

Reading a little further in the old bug, I found that I had had much greater success by using a usb extension, to get the device away from the computer. So I tried that. As before, MUCH better. Now, xgps "sees" 19 satellites, and "uses" 11 of them. Reported position information is a little off from that of Google Earth Pro, but it's close. (I have no idea which might be the most accurate) Elevation above sea level looks correct. 

"Speed" data varies, but at one point I did see it calculate it at 0.5mph. That seems a little fast for a stationary desk, but who am I to argue?

xgpsspeed looks OK, too, though it too has the desk moving around more than I notice by watching it. But, it is connecting with satellites and receiving data.

Anyway, it looks like this is working as designed. I suspect that strange readings like desk speed are coming from this being an inexpensive unit. Giving it an OK, and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2026-01-30 01:40:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0028.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.