[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#706727: unblock: gpsd/3.6-5



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi!

Please unblock package gpsd as it fixes CVE-2013-2038

The bug is not *that* bad, so if you don't have the time to get it in
before wheezy is released, I'll prepare an update for the first point
release, no problem at all. 

Thanks,

Bernd

unblock gpsd/3.6-5



diff --git a/debian/changelog b/debian/changelog
index 4fb3c27..54e87f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gpsd (3.6-5) unstable; urgency=medium
+
+  * [818fb0a6] Fixing two security bugs in gpsd
+    - one triggered by malformed NMEA packets, making gpsd crash
+    - the other one is a possible DOS in the AIS parser,
+      CVE-2013-2038
+    Thanks to Salvatore Bonaccorso (Closes: #706665)
+
+ -- Bernd Zeimetz <bzed@debian.org>  Fri, 03 May 2013 20:57:35 +0200
+
 gpsd (3.6-4) unstable; urgency=low
 
   * [8607cd96] Add some bugfixes from upstream.
diff --git a/debian/patches/08edc49_Address-Savannah-bug-38511 b/debian/patches/08edc49_Address-Savannah-bug-38511
new file mode 100644
index 0000000..23803a6
--- /dev/null
+++ b/debian/patches/08edc49_Address-Savannah-bug-38511
@@ -0,0 +1,23 @@
+From 08edc49d8f63c75bfdfb480b083b0d960310f94f Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 10 Apr 2013 22:22:34 -0400
+Subject: [PATCH] Address Savannah bug #38511:
+
+ais_context->bitlen <= sizeof(ais_context->bits)/8 is not checked
+---
+ drivers.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers.c
++++ b/drivers.c
+@@ -1332,6 +1332,10 @@ static bool aivdm_decode(const char *buf
+ 		    (1 << (7 - ais_context->bitlen % 8));
+ 	    }
+ 	    ais_context->bitlen++;
++	    if (ais_context->bitlen > sizeof(ais_context->bits)) {
++		gpsd_report(LOG_INF, "overlong AIVDM payload truncated.\n");
++		return false;
++	    }
+ 	}
+ 	/*@ +shiftnegative @*/
+     }
diff --git a/debian/patches/dd9c3c2_Fix-a-malformed-packet-crash b/debian/patches/dd9c3c2_Fix-a-malformed-packet-crash
new file mode 100644
index 0000000..e60fcea
--- /dev/null
+++ b/debian/patches/dd9c3c2_Fix-a-malformed-packet-crash
@@ -0,0 +1,33 @@
+From dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 24 Apr 2013 07:44:35 -0400
+Subject: [PATCH] Fix a malformed-packet crash.
+
+Under weird circumstances, this line of device input
+
+$GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41
+
+could core-dump the packet parser.  The context had to be exactly
+right for it to happen.  The bug was an incorrect attempt at optimizing
+recovery from this rare case.
+---
+ NEWS                      |    3 ++-
+ packet.c                  |    5 ++---
+ test/daemon/triton400.log |   11 ++++++-----
+ www/faq.html.in           |    4 ++--
+ 4 files changed, 12 insertions(+), 11 deletions(-)
+
+--- a/packet.c
++++ b/packet.c
+@@ -471,9 +471,8 @@ static void nextstate(struct gps_packet_
+ 	    /* not strictly correct, but helps for interpreting logfiles */
+ 	    lexer->state = NMEA_RECOGNIZED;
+ 	else if (c == '$'){
+-	    /* faster recovery from missing sentence trailers */
+-	    lexer->state = NMEA_DOLLAR;
+-	    lexer->inbufptr += (n-1);
++	    lexer->state = GROUND_STATE;
++	    character_pushback(lexer);
+ 	} else if (!isprint(c))
+ 	    lexer->state = GROUND_STATE;
+ 	break;
diff --git a/debian/patches/series b/debian/patches/series
index 9c47577..c9b2081 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,5 @@ a3f6c60_Do-not-assume-little_endian-just-because-__BIG_ENDIAN__-is-not-defined
 5158d66_Fix-the-leap-seconds-notify
 c5623da_Another-fix-the-leap-seconds-notify
 7f25576_Rebuild-some-binary-driver-tests.-Explain-why-this-is-needed
+08edc49_Address-Savannah-bug-38511
+dd9c3c2_Fix-a-malformed-packet-crash


Reply to: