Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 May 2013 15:41:51 -0400
From: "Eric S. Raymond" <esr@...rsus.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, Jan Lieskovsky <jlieskov@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Miroslav Lichvar <mlichvar@...hat.com>
Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of
 service flaw

Kurt Seifried <kseifried@...hat.com>:
> On 05/02/2013 03:58 AM, Jan Lieskovsky wrote:
> > @Eric - Eric, could you please help us to solve this doubt? (which 
> > of the patches is the correct one to fix the above mentioned DoS /
> > security issue)

There are two critical patches which solve two different DoSes (well,
one certain and one potential).  Yes, it's a strange coincidence that
both bugs were characterized at almost the same time after we haven't
had a crash bug since 2007.

The crash bug was in the NMEA driver.  There's particular kind of malformed
packet, sometimes emitted by SiRFStar-III receivers, that looks like this:

$GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41\r\n

See the incomplete GGA without trailing \r\n  at the front?  Usually 
that was harmless and would be silently discarded. Under rare circumstances
it could core dump (but not any more, I now have a regression test to check
this case).

That fix was commit dd9c3c2830cb8f8fd8491ce68c82698dc5538f50.

The potential crash/DoS was in the AIS driver.

The first stage of what it does is un-armor an AIVDM ASCII packet
representation into an equivalent binary packet which is then examined
for data at specific bit offsets.

The un-armoring logic was not properly bounds-checked, potentially
opening up a hole. In theory, an overlong armored packet could be
crafted to overrun the binary-packet buffer.

I'm not sure that one was exploitable; there are other properties of
the code (notably the bounds-checked maximum length of the AIVDM ASCII
packet buffer) that seem to guarantee the end of the binary packet
buffer could never be reached.

I put in a check anyway, because (a) I could be wrong about that, (b)
supposing I'm right, that invariant could get silently broken by a future 
code change.

That was commit 08edc49d8f63c75bfdfb480b083b0d960310f94f, responding 
to Savannah bug #38511.

Note: neither of these have privilege-escalation possibilities.  gpsd
needs root to initialize, but drops it long before either of these 
code defects could fire.

If you have any other questions, do not hesitate to ask.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ