Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 May 2013 21:30:01 -0400
From: "Eric S. Raymond" <>
To: Jan Lieskovsky <>
Cc: Kurt Seifried <>,
	"Steven M. Christey" <>,
	Miroslav Lichvar <>,
Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of
 service flaw

Jan Lieskovsky <>:
> Hello Eric,
>   since there have doubts appeared:

Sorry, seem I missed some earlier mail, probably due to my DNS being
temporarily deranged after I upgraded to Ubuntu 13.04.  
> which upstream patch has been the CVE-2013-2038 identifier assigned
> to, could you confirm / disprove the latter?
> * The true crash was in the NMEA(2000) driver, with upstream patch:
>   This one should be referenced under CVE-2013-2038.

Not quite right.  The problem was with NMEA0183, not with NMEA2000.  But yes,
this crash has been seen in the wild, though not in conjenction with an 
identified attack.

> * While the hypothetical one was in the AIS driver, with upstream patch:
>   Upstream 3.9 announcement "Armor the AIS driver against an implausible overrun attack."
>   would support this.

Correct.  The potential AIS overrun has *not* been observed.  The
possibility was reported by someone reading the code.

> > Application of the patch looks reasonable. Just would be good to know
> > if it was applied just like a preventive measure (no DoS right now, just
> > prevent its [possible] occurrence in the future in case of code change)
> > or if under certain circumstances it might be used to DoS gpsd too?

It is a preventive measure.  I don't think it is presently exploitable,
but I'm not *certain* it isn't.
		<a href="">Eric S. Raymond</a>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ