Debian Bug report logs -
#925327
gpsd: CVE-2018-17937
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 23 Mar 2019 08:09:01 UTC
Severity: grave
Tags: security, upstream
Found in versions gpsd/3.16-4, gpsd/3.17-5
Fixed in versions gpsd/3.18.1-1, gpsd/3.17-6
Done: Bernd Zeimetz <bzed@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Sat, 23 Mar 2019 08:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Bernd Zeimetz <bzed@debian.org>
.
(Sat, 23 Mar 2019 08:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gpsd
Version: 3.17-5
Severity: grave
Tags: security upstream
Control: found -1 3.16-4
Control: fixed -1 3.18.1-1
Hi,
The following vulnerability was published for gpsd, not competely sure
on severity and on if the referenced upstream commit is enough.
Ideally though the fix seems ideal to go to buster.
CVE-2018-17937[0]:
| gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open
| source project, allow a stack-based buffer overflow, which may allow
| remote attackers to execute arbitrary code on embedded platforms via
| traffic on Port 2947/TCP or crafted JSON inputs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17937
Regards,
Salvatore
Marked as found in versions gpsd/3.16-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 23 Mar 2019 08:09:04 GMT) (full text, mbox, link).
Marked as fixed in versions gpsd/3.18.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 23 Mar 2019 08:09:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Fri, 29 Mar 2019 22:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Fri, 29 Mar 2019 22:06:03 GMT) (full text, mbox, link).
Message #14 received at 925327@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
> The following vulnerability was published for gpsd, not competely sure
> on severity and on if the referenced upstream commit is enough.
> Ideally though the fix seems ideal to go to buster.
I've tried to get more information out of Upstream, but did not get a
reply yet. So I'll prepare an upload with the mentioned commit. Looking
trough the commit logs from gpsd it seems to be the only relevant one.
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Sat, 30 Mar 2019 07:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Sat, 30 Mar 2019 07:36:02 GMT) (full text, mbox, link).
Message #19 received at 925327@bugs.debian.org (full text, mbox, reply):
Hi Bernd,
On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> Hi Salvatore,
>
> > The following vulnerability was published for gpsd, not competely sure
> > on severity and on if the referenced upstream commit is enough.
> > Ideally though the fix seems ideal to go to buster.
>
> I've tried to get more information out of Upstream, but did not get a
> reply yet. So I'll prepare an upload with the mentioned commit. Looking
> trough the commit logs from gpsd it seems to be the only relevant one.
Ack thank you for investigating, I was neither more successfull to
determine if that's enough.
Cc;ing the security team alias, if anyone has more ideas.
Thanks for your work!
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Sat, 30 Mar 2019 12:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Sat, 30 Mar 2019 12:27:03 GMT) (full text, mbox, link).
Message #24 received at 925327@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi Bernd,
>
> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> > Hi Salvatore,
> >
> > > The following vulnerability was published for gpsd, not competely sure
> > > on severity and on if the referenced upstream commit is enough.
> > > Ideally though the fix seems ideal to go to buster.
> >
> > I've tried to get more information out of Upstream, but did not get a
> > reply yet. So I'll prepare an upload with the mentioned commit. Looking
> > trough the commit logs from gpsd it seems to be the only relevant one.
>
> Ack thank you for investigating, I was neither more successfull to
> determine if that's enough.
>
> Cc;ing the security team alias, if anyone has more ideas.
I think I would also backport
http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4
and
http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead
for good measure.
But I agree that the essential fix seems to be
http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Sat, 30 Mar 2019 15:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Sat, 30 Mar 2019 15:48:02 GMT) (full text, mbox, link).
Message #29 received at 925327@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
totally agree, although I'll also see what upgrading json.c to the latest version gives for results. That should not depend on the rest of the gpsd code.
Am 30. März 2019 13:25:45 MEZ schrieb Markus Koschany <apo@debian.org>:
>Hi,
>
>On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso
><carnil@debian.org> wrote:
>> Hi Bernd,
>>
>> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
>> > Hi Salvatore,
>> >
>> > > The following vulnerability was published for gpsd, not competely
>sure
>> > > on severity and on if the referenced upstream commit is enough.
>> > > Ideally though the fix seems ideal to go to buster.
>> >
>> > I've tried to get more information out of Upstream, but did not get
>a
>> > reply yet. So I'll prepare an upload with the mentioned commit.
>Looking
>> > trough the commit logs from gpsd it seems to be the only relevant
>one.
>>
>> Ack thank you for investigating, I was neither more successfull to
>> determine if that's enough.
>>
>> Cc;ing the security team alias, if anyone has more ideas.
>
>I think I would also backport
>
>http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4
>
>and
>
>http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead
>
>for good measure.
>
>But I agree that the essential fix seems to be
>
>http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19
>
>Regards,
>
>Markus
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Sun, 31 Mar 2019 22:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Sun, 31 Mar 2019 22:45:05 GMT) (full text, mbox, link).
Message #34 received at 925327@bugs.debian.org (full text, mbox, reply):
Hi,
On 3/30/19 8:32 AM, Salvatore Bonaccorso wrote:
> Hi Bernd,
>
> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
>> Hi Salvatore,
>>
>>> The following vulnerability was published for gpsd, not competely sure
>>> on severity and on if the referenced upstream commit is enough.
>>> Ideally though the fix seems ideal to go to buster.
>>
>> I've tried to get more information out of Upstream, but did not get a
>> reply yet. So I'll prepare an upload with the mentioned commit. Looking
>> trough the commit logs from gpsd it seems to be the only relevant one.
>
> Ack thank you for investigating, I was neither more successfull to
> determine if that's enough.
>
> Cc;ing the security team alias, if anyone has more ideas.
So I'd go with
https://github.com/bzed/pkg-gpsd/blob/buster/debian/patches/json-cve-fix
which contains all changes to json.c/.h up to
a399e85c1201400e281f2c1dc29dde21c29b0088
from the upstream repository.
Later changes are not relevant here.
Any objections?
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Mon, 01 Apr 2019 20:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Mon, 01 Apr 2019 20:06:03 GMT) (full text, mbox, link).
Message #39 received at 925327@bugs.debian.org (full text, mbox, reply):
Hi Bernd,
On Mon, Apr 01, 2019 at 12:41:30AM +0200, Bernd Zeimetz wrote:
> Hi,
>
> On 3/30/19 8:32 AM, Salvatore Bonaccorso wrote:
> > Hi Bernd,
> >
> > On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> >> Hi Salvatore,
> >>
> >>> The following vulnerability was published for gpsd, not competely sure
> >>> on severity and on if the referenced upstream commit is enough.
> >>> Ideally though the fix seems ideal to go to buster.
> >>
> >> I've tried to get more information out of Upstream, but did not get a
> >> reply yet. So I'll prepare an upload with the mentioned commit. Looking
> >> trough the commit logs from gpsd it seems to be the only relevant one.
> >
> > Ack thank you for investigating, I was neither more successfull to
> > determine if that's enough.
> >
> > Cc;ing the security team alias, if anyone has more ideas.
>
> So I'd go with
> https://github.com/bzed/pkg-gpsd/blob/buster/debian/patches/json-cve-fix
>
> which contains all changes to json.c/.h up to
> a399e85c1201400e281f2c1dc29dde21c29b0088
>
> from the upstream repository.
>
> Later changes are not relevant here.
>
> Any objections?
Makes sense.
Once uploaded to unstable, can you ask for an unblock so it will reach
buster?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>
:
Bug#925327
; Package src:gpsd
.
(Mon, 01 Apr 2019 20:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>
:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>
.
(Mon, 01 Apr 2019 20:39:02 GMT) (full text, mbox, link).
Message #44 received at 925327@bugs.debian.org (full text, mbox, reply):
Hi,
> Once uploaded to unstable, can you ask for an unblock so it will reach
> buster?
sure, will do.
I'll also see what can/should be ported to stable.
Bern
d
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply sent
to Bernd Zeimetz <bzed@debian.org>
:
You have taken responsibility.
(Fri, 05 Apr 2019 22:21:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 05 Apr 2019 22:21:06 GMT) (full text, mbox, link).
Message #49 received at 925327-close@bugs.debian.org (full text, mbox, reply):
Source: gpsd
Source-Version: 3.17-6
We believe that the bug you reported is fixed in the latest version of
gpsd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925327@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated gpsd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 05 Apr 2019 23:31:30 +0200
Source: gpsd
Architecture: source
Version: 3.17-6
Distribution: unstable
Urgency: medium
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Closes: 925327
Changes:
gpsd (3.17-6) unstable; urgency=medium
.
* [0a8e4e18] Pull json fixes from upstream to fix a stack-based
buffer overflow, which may allow remote attackers to execute
arbitrary code on embedded platforms via traffic on Port
2947/TCP or crafted JSON inputs.
CVE-2018-17937 / Closes: #925327
The update also fixes several other json parser bugs.
- ECMA-404 says JSON \u must have 4 hex digits
- Allow for \u escapes with fewer than 4 digits.
- Fail on bad escape string.
* [71020f4f] Update git-buildpackage config to build from the
buster branch.
Checksums-Sha1:
466356a004345d6f7c6dfa59c2dd05012c294143 2573 gpsd_3.17-6.dsc
c4979dfe9588b0651396e464e5c3ed90224de188 36996 gpsd_3.17-6.debian.tar.xz
6165a5ab0e41b0f16e087a5fc549300c1bf1acad 13237 gpsd_3.17-6_source.buildinfo
Checksums-Sha256:
393946eefc2ac406d508200ed721a480214db67bdbe09ab47e5edc22e539f7fd 2573 gpsd_3.17-6.dsc
0d852cee49266122d925493c0633b5ed1bf84e1ee8b646d4c0a1c94aed29c141 36996 gpsd_3.17-6.debian.tar.xz
e3327243dba07dfe524bcd800bf06113fec894fe9802d87cd775e3940f7966b4 13237 gpsd_3.17-6_source.buildinfo
Files:
0e3d936a38543f89fe0f5d196db9b221 2573 misc optional gpsd_3.17-6.dsc
4775f36adea7284bd76407c17fed2963 36996 misc optional gpsd_3.17-6.debian.tar.xz
db7a1fd123ac7fb4f2af5fe190fbea1f 13237 misc optional gpsd_3.17-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAlynzscACgkQ6zYXGm/5
Q18wdw//WqK0sXoGAHSACDOV+ELMsfpG99k7O95M2Ux0rx9Bm/mJYIr21sO1V5pR
xktyojSHW7v1Jd/4CGxFtMEVq1BfTsLc0+mlmP4bEIbNqiUHuE1g3xRNZ6TYTdbx
gu9YGtWnFPzijjj6Fj1UAo21XTTEfkj6jJfT3mj8Spb1uHH0uAKXtocg2wRAREXQ
cxfTSjwlRZj3v2vxTKcDNI6N1aClfBEom570XFOt77ujsEjNCJiRoTgz3n0QHmwr
bmaHD09f0mLD5ton69GCC2AjDnA3+ukXhEPom2HMg8hJcf919LlByTOh043xoGwi
yxnhOY5UK8zHC70R2uYvQSk6VaMUxcz29r3C6kAxM9LVAWxuiRbqblVIuEAKpLi4
cIbuBPCxd/WAMqUg0kcbJVHi/BgOjssfcSuSPYtdCHtzCjyZx88Tp4rh4wRupZaN
ksOKN1L4Fq1xDqv/9nVVsiCh6IwNHPUkWR2N9Ou+Yr6HHOqarWKkvUALCLFDiHU9
3uFOz8BESUF4+eCEVFz4PCe2jyh98xOH4MVRmABOweIvr+ziRcu3KnBE8zyBa2QS
dQt89C8Ws1s0OMzeB1hFGWESK9M83zFa26xqWIki/5F/5hb1oR71MmhUxkKsNKJU
B9HkP87Fc0MU3g1TMP3jip/hdCUJryml/g2DqcXHwut9r/Up7n8=
=BdJV
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:16:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.