gpsd: CVE-2018-17937

Debian Bug report logs - #925327
gpsd: CVE-2018-17937

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gpsd: CVE-2018-17937

Date: Sat, 23 Mar 2019 09:06:07 +0100

Source: gpsd
Version: 3.17-5
Severity: grave
Tags: security upstream
Control: found -1 3.16-4
Control: fixed -1 3.18.1-1

Hi,

The following vulnerability was published for gpsd, not competely sure
on severity and on if the referenced upstream commit is enough.
Ideally though the fix seems ideal to go to buster.

CVE-2018-17937[0]:
| gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open
| source project, allow a stack-based buffer overflow, which may allow
| remote attackers to execute arbitrary code on embedded platforms via
| traffic on Port 2947/TCP or crafted JSON inputs.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17937
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17937

Regards,
Salvatore

Message #14 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 925327@bugs.debian.org

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Fri, 29 Mar 2019 22:54:50 +0100

Hi Salvatore,

> The following vulnerability was published for gpsd, not competely sure
> on severity and on if the referenced upstream commit is enough.
> Ideally though the fix seems ideal to go to buster.

I've tried to get more information out of Upstream, but did not get a
reply yet. So I'll prepare an upload with the mentioned commit. Looking
trough the commit logs from gpsd it seems to be the only relevant one.

Bernd


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Message #19 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bernd Zeimetz <bernd@bzed.de>

Cc: 925327@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Sat, 30 Mar 2019 08:32:34 +0100

Hi Bernd,

On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> Hi Salvatore,
> 
> > The following vulnerability was published for gpsd, not competely sure
> > on severity and on if the referenced upstream commit is enough.
> > Ideally though the fix seems ideal to go to buster.
> 
> I've tried to get more information out of Upstream, but did not get a
> reply yet. So I'll prepare an upload with the mentioned commit. Looking
> trough the commit logs from gpsd it seems to be the only relevant one.

Ack thank you for investigating, I was neither more successfull to
determine if that's enough.

Cc;ing the security team alias, if anyone has more ideas.

Thanks for your work!

Salvatore

Message #24 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 925327@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Sat, 30 Mar 2019 13:25:45 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi Bernd,
> 
> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> > Hi Salvatore,
> > 
> > > The following vulnerability was published for gpsd, not competely sure
> > > on severity and on if the referenced upstream commit is enough.
> > > Ideally though the fix seems ideal to go to buster.
> > 
> > I've tried to get more information out of Upstream, but did not get a
> > reply yet. So I'll prepare an upload with the mentioned commit. Looking
> > trough the commit logs from gpsd it seems to be the only relevant one.
> 
> Ack thank you for investigating, I was neither more successfull to
> determine if that's enough.
> 
> Cc;ing the security team alias, if anyone has more ideas.

I think I would also backport

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4

and

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead

for good measure.

But I agree that the essential fix seems to be

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>

To: Markus Koschany <apo@debian.org>,925327@bugs.debian.org

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Sat, 30 Mar 2019 16:45:55 +0100

[Message part 1 (text/plain, inline)]

Hi, 

totally agree,  although I'll also see what upgrading json.c  to the latest version gives for results.  That should not depend on the rest of the gpsd code. 

Am 30. März 2019 13:25:45 MEZ schrieb Markus Koschany <apo@debian.org>:
>Hi,
>
>On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso
><carnil@debian.org> wrote:
>> Hi Bernd,
>> 
>> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
>> > Hi Salvatore,
>> > 
>> > > The following vulnerability was published for gpsd, not competely
>sure
>> > > on severity and on if the referenced upstream commit is enough.
>> > > Ideally though the fix seems ideal to go to buster.
>> > 
>> > I've tried to get more information out of Upstream, but did not get
>a
>> > reply yet. So I'll prepare an upload with the mentioned commit.
>Looking
>> > trough the commit logs from gpsd it seems to be the only relevant
>one.
>> 
>> Ack thank you for investigating, I was neither more successfull to
>> determine if that's enough.
>> 
>> Cc;ing the security team alias, if anyone has more ideas.
>
>I think I would also backport
>
>http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4
>
>and
>
>http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead
>
>for good measure.
>
>But I agree that the essential fix seems to be
>
>http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19
>
>Regards,
>
>Markus

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

[Message part 2 (text/html, inline)]

Message #34 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 925327@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Mon, 1 Apr 2019 00:41:30 +0200

Hi,

On 3/30/19 8:32 AM, Salvatore Bonaccorso wrote:
> Hi Bernd,
> 
> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
>> Hi Salvatore,
>>
>>> The following vulnerability was published for gpsd, not competely sure
>>> on severity and on if the referenced upstream commit is enough.
>>> Ideally though the fix seems ideal to go to buster.
>>
>> I've tried to get more information out of Upstream, but did not get a
>> reply yet. So I'll prepare an upload with the mentioned commit. Looking
>> trough the commit logs from gpsd it seems to be the only relevant one.
> 
> Ack thank you for investigating, I was neither more successfull to
> determine if that's enough.
> 
> Cc;ing the security team alias, if anyone has more ideas.

So I'd go with
https://github.com/bzed/pkg-gpsd/blob/buster/debian/patches/json-cve-fix

which contains all changes to json.c/.h up to
a399e85c1201400e281f2c1dc29dde21c29b0088

from the upstream repository.

Later changes are not relevant here.

Any objections?


Bernd

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Message #39 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bernd Zeimetz <bernd@bzed.de>

Cc: 925327@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Mon, 1 Apr 2019 22:02:51 +0200

Hi Bernd,

On Mon, Apr 01, 2019 at 12:41:30AM +0200, Bernd Zeimetz wrote:
> Hi,
> 
> On 3/30/19 8:32 AM, Salvatore Bonaccorso wrote:
> > Hi Bernd,
> > 
> > On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> >> Hi Salvatore,
> >>
> >>> The following vulnerability was published for gpsd, not competely sure
> >>> on severity and on if the referenced upstream commit is enough.
> >>> Ideally though the fix seems ideal to go to buster.
> >>
> >> I've tried to get more information out of Upstream, but did not get a
> >> reply yet. So I'll prepare an upload with the mentioned commit. Looking
> >> trough the commit logs from gpsd it seems to be the only relevant one.
> > 
> > Ack thank you for investigating, I was neither more successfull to
> > determine if that's enough.
> > 
> > Cc;ing the security team alias, if anyone has more ideas.
> 
> So I'd go with
> https://github.com/bzed/pkg-gpsd/blob/buster/debian/patches/json-cve-fix
> 
> which contains all changes to json.c/.h up to
> a399e85c1201400e281f2c1dc29dde21c29b0088
> 
> from the upstream repository.
> 
> Later changes are not relevant here.
> 
> Any objections?

Makes sense.

Once uploaded to unstable, can you ask for an unblock so it will reach
buster?

Regards,
Salvatore

Message #44 received at 925327@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 925327@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#925327: gpsd: CVE-2018-17937

Date: Mon, 1 Apr 2019 22:37:42 +0200

Hi,

> Once uploaded to unstable, can you ask for an unblock so it will reach
> buster?

sure, will do.
I'll also see what can/should be ported to stable.


Bern
d

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Message #49 received at 925327-close@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bzed@debian.org>

To: 925327-close@bugs.debian.org

Subject: Bug#925327: fixed in gpsd 3.17-6

Date: Fri, 05 Apr 2019 22:18:36 +0000

Source: gpsd
Source-Version: 3.17-6

We believe that the bug you reported is fixed in the latest version of
gpsd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 925327@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated gpsd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 05 Apr 2019 23:31:30 +0200
Source: gpsd
Architecture: source
Version: 3.17-6
Distribution: unstable
Urgency: medium
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Closes: 925327
Changes:
 gpsd (3.17-6) unstable; urgency=medium
 .
   * [0a8e4e18] Pull json fixes from upstream to fix a stack-based
     buffer overflow, which may allow remote attackers to execute
     arbitrary code on embedded platforms via traffic on Port
     2947/TCP or crafted JSON inputs.
     CVE-2018-17937 / Closes: #925327
     The update also fixes several other json parser bugs.
     - ECMA-404 says JSON \u must have 4 hex digits
     - Allow for \u escapes with fewer than 4 digits.
     - Fail on bad escape string.
   * [71020f4f] Update git-buildpackage config to build from the
     buster branch.
Checksums-Sha1:
 466356a004345d6f7c6dfa59c2dd05012c294143 2573 gpsd_3.17-6.dsc
 c4979dfe9588b0651396e464e5c3ed90224de188 36996 gpsd_3.17-6.debian.tar.xz
 6165a5ab0e41b0f16e087a5fc549300c1bf1acad 13237 gpsd_3.17-6_source.buildinfo
Checksums-Sha256:
 393946eefc2ac406d508200ed721a480214db67bdbe09ab47e5edc22e539f7fd 2573 gpsd_3.17-6.dsc
 0d852cee49266122d925493c0633b5ed1bf84e1ee8b646d4c0a1c94aed29c141 36996 gpsd_3.17-6.debian.tar.xz
 e3327243dba07dfe524bcd800bf06113fec894fe9802d87cd775e3940f7966b4 13237 gpsd_3.17-6_source.buildinfo
Files:
 0e3d936a38543f89fe0f5d196db9b221 2573 misc optional gpsd_3.17-6.dsc
 4775f36adea7284bd76407c17fed2963 36996 misc optional gpsd_3.17-6.debian.tar.xz
 db7a1fd123ac7fb4f2af5fe190fbea1f 13237 misc optional gpsd_3.17-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAlynzscACgkQ6zYXGm/5
Q18wdw//WqK0sXoGAHSACDOV+ELMsfpG99k7O95M2Ux0rx9Bm/mJYIr21sO1V5pR
xktyojSHW7v1Jd/4CGxFtMEVq1BfTsLc0+mlmP4bEIbNqiUHuE1g3xRNZ6TYTdbx
gu9YGtWnFPzijjj6Fj1UAo21XTTEfkj6jJfT3mj8Spb1uHH0uAKXtocg2wRAREXQ
cxfTSjwlRZj3v2vxTKcDNI6N1aClfBEom570XFOt77ujsEjNCJiRoTgz3n0QHmwr
bmaHD09f0mLD5ton69GCC2AjDnA3+ukXhEPom2HMg8hJcf919LlByTOh043xoGwi
yxnhOY5UK8zHC70R2uYvQSk6VaMUxcz29r3C6kAxM9LVAWxuiRbqblVIuEAKpLi4
cIbuBPCxd/WAMqUg0kcbJVHi/BgOjssfcSuSPYtdCHtzCjyZx88Tp4rh4wRupZaN
ksOKN1L4Fq1xDqv/9nVVsiCh6IwNHPUkWR2N9Ou+Yr6HHOqarWKkvUALCLFDiHU9
3uFOz8BESUF4+eCEVFz4PCe2jyh98xOH4MVRmABOweIvr+ziRcu3KnBE8zyBa2QS
dQt89C8Ws1s0OMzeB1hFGWESK9M83zFa26xqWIki/5F/5hb1oR71MmhUxkKsNKJU
B9HkP87Fc0MU3g1TMP3jip/hdCUJryml/g2DqcXHwut9r/Up7n8=
=BdJV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.