Bugzilla – Bug 818136
VUL-1: gpsd: CVE-2013-2038: denial of service flaw
Last modified: 2016-10-20 10:23:25 UTC
Public via oss-security: Date: Thu, 2 May 2013 05:58:48 -0400 (EDT) From: Jan Lieskovsky Subject: [oss-security] CVE Request -- gpsd 3.9 fixing a denial of service flaw GPSD upstream has released 3.9 version: [1] http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html correcting one denial of service problem [2]: A denial of service flaw was found in the way AIS driver packet parser of gpsd, a service daemon for mediating access to a GPS, processed certain malformed packets. A remote attacker could provide a specially-crafted device input that, when processed would lead to gpsd's packet parser crash (gpsd daemon termination). References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=958717 Candidate upstream patches [*]: [3] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f [4] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 -- [*] Candidate because upstream #38511 is private currently: http://savannah.nongnu.org/bugs/?38511 => hard to say if [3] is fixing this issue, or the DoS would be caused by the malformed packet crash / sample, as listed in [4]. @Eric - Eric, could you please help us to solve this doubt? (which of the patches is the correct one to fix the above mentioned DoS / security issue) Thanks: Goes to Miroslav Lichvar for bringing this one to my attention.
bugbot adjusting priority
CVE-2013-2038 was assigned.
For completeness: Date: Thu, 2 May 2013 15:41:51 -0400 From: "Eric S. Raymond" Subject: Re: [oss-security] CVE Request -- gpsd 3.9 fixing a denial of service flaw -------------- > On 05/02/2013 03:58 AM, Jan Lieskovsky wrote: > > @Eric - Eric, could you please help us to solve this doubt? (which=20 > > of the patches is the correct one to fix the above mentioned DoS / > > security issue) There are two critical patches which solve two different DoSes (well, one certain and one potential). Yes, it's a strange coincidence that both bugs were characterized at almost the same time after we haven't had a crash bug since 2007. The crash bug was in the NMEA driver. There's particular kind of malformed packet, sometimes emitted by SiRFStar-III receivers, that looks like this: $GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41\r\n See the incomplete GGA without trailing \r\n at the front? Usually=20 that was harmless and would be silently discarded. Under rare circumstances it could core dump (but not any more, I now have a regression test to check this case). That fix was commit dd9c3c2830cb8f8fd8491ce68c82698dc5538f50. The potential crash/DoS was in the AIS driver. The first stage of what it does is un-armor an AIVDM ASCII packet representation into an equivalent binary packet which is then examined for data at specific bit offsets. The un-armoring logic was not properly bounds-checked, potentially opening up a hole. In theory, an overlong armored packet could be crafted to overrun the binary-packet buffer. I'm not sure that one was exploitable; there are other properties of the code (notably the bounds-checked maximum length of the AIVDM ASCII packet buffer) that seem to guarantee the end of the binary packet buffer could never be reached. I put in a check anyway, because (a) I could be wrong about that, (b) supposing I'm right, that invariant could get silently broken by a future= =20 code change. That was commit 08edc49d8f63c75bfdfb480b083b0d960310f94f, responding=20 to Savannah bug #38511. Note: neither of these have privilege-escalation possibilities. gpsd needs root to initialize, but drops it long before either of these=20 code defects could fire. If you have any other questions, do not hesitate to ask. --------------
i wiould it put on planned
Affected packages: SLE-11-SP3: gpsd
Created attachment 604211 [details] CVE-2013-2038-ais_context-bitlen.patch This fix is based on the following commit and fixes the problem in gpsd-3.5. http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
Created attachment 604212 [details] CVE-2013-2038-malformed-packet-crash.patch This fix is based on the following commit and fixes the problem in gpsd-3.5. git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50
This is an autogenerated message for OBS integration: This bug (818136) was mentioned in https://build.opensuse.org/request/show/318498 13.1 / gpsd
Update is running.
released
openSUSE-SU-2015:1340-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 818136 CVE References: CVE-2013-2038 Sources used: openSUSE 13.1 (src): gpsd-3.5-7.8.1