Hi, totally agree, although I'll also see what upgrading json.c to the latest version gives for results. That should not depend on the rest of the gpsd code.
Am 30. März 2019 13:25:45 MEZ schrieb Markus Koschany <a...@debian.org>: >Hi, > >On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso ><car...@debian.org> wrote: >> Hi Bernd, >> >> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote: >> > Hi Salvatore, >> > >> > > The following vulnerability was published for gpsd, not competely >sure >> > > on severity and on if the referenced upstream commit is enough. >> > > Ideally though the fix seems ideal to go to buster. >> > >> > I've tried to get more information out of Upstream, but did not get >a >> > reply yet. So I'll prepare an upload with the mentioned commit. >Looking >> > trough the commit logs from gpsd it seems to be the only relevant >one. >> >> Ack thank you for investigating, I was neither more successfull to >> determine if that's enough. >> >> Cc;ing the security team alias, if anyone has more ideas. > >I think I would also backport > >http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4 > >and > >http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead > >for good measure. > >But I agree that the essential fix seems to be > >http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19 > >Regards, > >Markus -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
