Hi, > the following vulnerability was published for gpsd. > > CVE-2013-2038[0]: > DoS (packet parser crash) in the AIS driver when processing malformed packet
interesting as there is also a second way to make gpsd crash, although that would require a pretty buggy NMEA string. If you look at the > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Patches referenced by upstream developer and detailed explanation can be > found at [1,2,3]. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2038 > http://security-tracker.debian.org/tracker/CVE-2013-2038 > [1] http://marc.info/?l=oss-security&m=136753549732442&w=2 > [2] > http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 > [3] > http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f > > Please adjust the affected versions in the BTS as needed. > > @Bernd: I have not (yet) further investigated, only looked at current > code to see if above match. Already looked into it, and I've prepared a fixed upload already. But I don't think the bug is bad enough to require a security upload or fix in wheezy before the release. I'll upload it to unstable and see if the release team picks it up for wheezy, otherwise it will be fine to have it in the first point-release. Cheers, Bernd > > Regards, > Salvatore -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
