Bug#706727: unblock: gpsd/3.6-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi!
Please unblock package gpsd as it fixes CVE-2013-2038
The bug is not *that* bad, so if you don't have the time to get it in
before wheezy is released, I'll prepare an update for the first point
release, no problem at all.
Thanks,
Bernd
unblock gpsd/3.6-5
diff --git a/debian/changelog b/debian/changelog
index 4fb3c27..54e87f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gpsd (3.6-5) unstable; urgency=medium
+
+ * [818fb0a6] Fixing two security bugs in gpsd
+ - one triggered by malformed NMEA packets, making gpsd crash
+ - the other one is a possible DOS in the AIS parser,
+ CVE-2013-2038
+ Thanks to Salvatore Bonaccorso (Closes: #706665)
+
+ -- Bernd Zeimetz <bzed@debian.org> Fri, 03 May 2013 20:57:35 +0200
+
gpsd (3.6-4) unstable; urgency=low
* [8607cd96] Add some bugfixes from upstream.
diff --git a/debian/patches/08edc49_Address-Savannah-bug-38511 b/debian/patches/08edc49_Address-Savannah-bug-38511
new file mode 100644
index 0000000..23803a6
--- /dev/null
+++ b/debian/patches/08edc49_Address-Savannah-bug-38511
@@ -0,0 +1,23 @@
+From 08edc49d8f63c75bfdfb480b083b0d960310f94f Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 10 Apr 2013 22:22:34 -0400
+Subject: [PATCH] Address Savannah bug #38511:
+
+ais_context->bitlen <= sizeof(ais_context->bits)/8 is not checked
+---
+ drivers.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers.c
++++ b/drivers.c
+@@ -1332,6 +1332,10 @@ static bool aivdm_decode(const char *buf
+ (1 << (7 - ais_context->bitlen % 8));
+ }
+ ais_context->bitlen++;
++ if (ais_context->bitlen > sizeof(ais_context->bits)) {
++ gpsd_report(LOG_INF, "overlong AIVDM payload truncated.\n");
++ return false;
++ }
+ }
+ /*@ +shiftnegative @*/
+ }
diff --git a/debian/patches/dd9c3c2_Fix-a-malformed-packet-crash b/debian/patches/dd9c3c2_Fix-a-malformed-packet-crash
new file mode 100644
index 0000000..e60fcea
--- /dev/null
+++ b/debian/patches/dd9c3c2_Fix-a-malformed-packet-crash
@@ -0,0 +1,33 @@
+From dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 24 Apr 2013 07:44:35 -0400
+Subject: [PATCH] Fix a malformed-packet crash.
+
+Under weird circumstances, this line of device input
+
+$GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41
+
+could core-dump the packet parser. The context had to be exactly
+right for it to happen. The bug was an incorrect attempt at optimizing
+recovery from this rare case.
+---
+ NEWS | 3 ++-
+ packet.c | 5 ++---
+ test/daemon/triton400.log | 11 ++++++-----
+ www/faq.html.in | 4 ++--
+ 4 files changed, 12 insertions(+), 11 deletions(-)
+
+--- a/packet.c
++++ b/packet.c
+@@ -471,9 +471,8 @@ static void nextstate(struct gps_packet_
+ /* not strictly correct, but helps for interpreting logfiles */
+ lexer->state = NMEA_RECOGNIZED;
+ else if (c == '$'){
+- /* faster recovery from missing sentence trailers */
+- lexer->state = NMEA_DOLLAR;
+- lexer->inbufptr += (n-1);
++ lexer->state = GROUND_STATE;
++ character_pushback(lexer);
+ } else if (!isprint(c))
+ lexer->state = GROUND_STATE;
+ break;
diff --git a/debian/patches/series b/debian/patches/series
index 9c47577..c9b2081 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,5 @@ a3f6c60_Do-not-assume-little_endian-just-because-__BIG_ENDIAN__-is-not-defined
5158d66_Fix-the-leap-seconds-notify
c5623da_Another-fix-the-leap-seconds-notify
7f25576_Rebuild-some-binary-driver-tests.-Explain-why-this-is-needed
+08edc49_Address-Savannah-bug-38511
+dd9c3c2_Fix-a-malformed-packet-crash
Reply to: