Hi Bernd On Fri, May 03, 2013 at 08:50:52PM +0200, Bernd Zeimetz wrote: > Hi, > > > the following vulnerability was published for gpsd. > > > > CVE-2013-2038[0]: > > DoS (packet parser crash) in the AIS driver when processing malformed packet > > interesting as there is also a second way to make gpsd crash, although that > would require a pretty buggy NMEA string. If you look at the
Looks there is a missing part here, but I think I understood, that there where two ways mentioned to make gpsd crash. > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > Patches referenced by upstream developer and detailed explanation can be > > found at [1,2,3]. > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2038 > > http://security-tracker.debian.org/tracker/CVE-2013-2038 > > [1] http://marc.info/?l=oss-security&m=136753549732442&w=2 > > [2] > > http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 > > [3] > > http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f > > > > Please adjust the affected versions in the BTS as needed. > > > > @Bernd: I have not (yet) further investigated, only looked at current > > code to see if above match. > > Already looked into it, and I've prepared a fixed upload already. But I don't > think the bug is bad enough to require a security upload or fix in wheezy > before > the release. I'll upload it to unstable and see if the release team picks it > up > for wheezy, otherwise it will be fine to have it in the first point-release. Thank you have seen the upload and marked accordingly in the security-tracker. It's unfortunately already to late to ask for an unblock. But I agree, it would be enought to fix this for wheezy and squeeze trough s-p-u, and o-p-u. Thank you for your quick reply! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
