A denial of service issue fixed upstream in gpsd was assigned a CVE: http://openwall.com/lists/oss-security/2013/05/02/17 Patched packages uploaded for Mageia 2 and Cauldron. Patch added in Mageia 1 SVN. Advisory: ======================== Updated sssd packages fix security vulnerability: A denial of service flaw was found in the way AIS driver packet parser of gpsd processed certain malformed packets. A remote attacker could provide a specially-crafted device input that, when processed would lead to gpsd's packet parser crash (gpsd daemon termination) (CVE-2013-2038). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2038 https://bugzilla.redhat.com/show_bug.cgi?id=958717 ======================== Updated packages in core/updates_testing: ======================== gpsd-3.3-2.1.mga2 libgpsd20-3.3-2.1.mga2 libQgpsmm20-3.3-2.1.mga2 libgpsd-devel-3.3-2.1.mga2 gpsd-clients-3.3-2.1.mga2 gpsd-python-3.3-2.1.mga2 from gpsd-3.3-2.1.mga2.src.rpm Reproducible: Steps to Reproduce:
Whoops, copy-paste error in the advisory. Reposting. Advisory: ======================== Updated gpsd packages fix security vulnerability: A denial of service flaw was found in the way AIS driver packet parser of gpsd processed certain malformed packets. A remote attacker could provide a specially-crafted device input that, when processed would lead to gpsd's packet parser crash (gpsd daemon termination) (CVE-2013-2038). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2038 https://bugzilla.redhat.com/show_bug.cgi?id=958717 ======================== Updated packages in core/updates_testing: ======================== gpsd-3.3-2.1.mga2 libgpsd20-3.3-2.1.mga2 libQgpsmm20-3.3-2.1.mga2 libgpsd-devel-3.3-2.1.mga2 gpsd-clients-3.3-2.1.mga2 gpsd-python-3.3-2.1.mga2 from gpsd-3.3-2.1.mga2.src.rpm
Oden, I'm not on the oss-sec list, but I think Jan got this confused: http://openwall.com/lists/oss-security/2013/05/03/3 Reading Eric's previous message, I'm pretty sure the CVE-2013-2038 was assigned for the second issue he described, the AIS driver crash fixed in commit 08edc49d8f63c75bfdfb480b083b0d960310f94f. The first issue in the mail was another possible crash in some cases due to a malformed packet, which probably doesn't need a CVE.
CC: (none) => oe
Hi Oden, David, (In reply to David Walser from comment #2) > Oden, I'm not on the oss-sec list, but I think Jan got this confused: > http://openwall.com/lists/oss-security/2013/05/03/3 > > Reading Eric's previous message, I'm pretty sure the CVE-2013-2038 was > assigned for the second issue he described, the AIS driver crash fixed in > commit 08edc49d8f63c75bfdfb480b083b0d960310f94f. I might be wrong, but think the real DoS condition was in NMEA driver. From: http://openwall.com/lists/oss-security/2013/05/03/3 (prefixing quoted lines with % character) % There are two critical patches which solve two different DoSes (well, % one certain and one potential) % The crash bug was in the NMEA driver. There's particular kind of malformed % packet, sometimes emitted by SiRFStar-III receivers, that looks like this: % % $GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41\r\n % % See the incomplete GGA without trailing \r\n at the front? Usually % that was harmless and would be silently discarded. Under rare circumstances % it could core dump (but not any more, I now have a regression test to check % this case). % % That fix was commit dd9c3c2830cb8f8fd8491ce68c82698dc5538f50. This makes me think it was the real crash. % The potential crash/DoS was in the AIS driver. % % .. % The un-armoring logic was not properly bounds-checked, potentially % opening up a hole. In theory, an overlong armored packet could be % crafted to overrun the binary-packet buffer. .. % % I put in a check anyway, because (a) I could be wrong about that, (b) % supposing I'm right, that invariant could get silently broken by a future % code change. % % That was commit 08edc49d8f63c75bfdfb480b083b0d960310f94f, responding % to Savannah bug #38511. While this one was the theoretical / potential one (just measure for future code changes). > > The first issue in the mail was another possible crash in some cases due to > a malformed packet, which probably doesn't need a CVE. Based on the first Eric's reply I would say the exact opposite. That CVE-2013-2038 got assigned to upstream dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 commit, while 08edc49d8f63c75bfdfb480b083b0d960310f94f was just preventive measure. Updated Red Hat bugzilla bug to reflect this && will ask Eric for explicit confirmation / disprovement. Regards, Jan.
CC: (none) => jlieskov
Adding feedback marker, thanks Jan
Whiteboard: (none) => feedback
Thank you Jan and Oden for helping clear this up. Eric has responded and Jan was correct: http://openwall.com/lists/oss-security/2013/05/08/1 The actual CVE issue did not affect gpsd 3.3, but only newer versions. I'll leave the patch for the potential AIS driver overrun in SVN (renamed and commit log propedit'd), but we don't need to push an update here.
Status: NEW => RESOLVEDResolution: (none) => INVALID