Date: Tue, 7 May 2013 21:30:01 -0400 From: "Eric S. Raymond" <esr@...rsus.com> To: Jan Lieskovsky <jlieskov@...hat.com> Cc: Kurt Seifried <kseifried@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Miroslav Lichvar <mlichvar@...hat.com>, oss-security@...ts.openwall.com Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of service flaw Jan Lieskovsky <jlieskov@...hat.com>: > Hello Eric, > > since there have doubts appeared: > https://bugs.mageia.org/show_bug.cgi?id=9969#c2 Sorry, seem I missed some earlier mail, probably due to my DNS being temporarily deranged after I upgraded to Ubuntu 13.04. > which upstream patch has been the CVE-2013-2038 identifier assigned > to, could you confirm / disprove the latter? > > * The true crash was in the NMEA(2000) driver, with upstream patch: > http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 > > This one should be referenced under CVE-2013-2038. Not quite right. The problem was with NMEA0183, not with NMEA2000. But yes, this crash has been seen in the wild, though not in conjenction with an identified attack. > * While the hypothetical one was in the AIS driver, with upstream patch: > http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f > > Upstream 3.9 announcement "Armor the AIS driver against an implausible overrun attack." > would support this. Correct. The potential AIS overrun has *not* been observed. The possibility was reported by someone reading the code. > > Application of the patch looks reasonable. Just would be good to know > > if it was applied just like a preventive measure (no DoS right now, just > > prevent its [possible] occurrence in the future in case of code change) > > or if under certain circumstances it might be used to DoS gpsd too? It is a preventive measure. I don't think it is presently exploitable, but I'm not *certain* it isn't. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ