Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 May 2013 21:30:01 -0400
From: "Eric S. Raymond" <esr@...rsus.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: Kurt Seifried <kseifried@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Miroslav Lichvar <mlichvar@...hat.com>,
	oss-security@...ts.openwall.com
Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of
 service flaw

Jan Lieskovsky <jlieskov@...hat.com>:
> Hello Eric,
> 
>   since there have doubts appeared:
>     https://bugs.mageia.org/show_bug.cgi?id=9969#c2

Sorry, seem I missed some earlier mail, probably due to my DNS being
temporarily deranged after I upgraded to Ubuntu 13.04.  
 
> which upstream patch has been the CVE-2013-2038 identifier assigned
> to, could you confirm / disprove the latter?
> 
> * The true crash was in the NMEA(2000) driver, with upstream patch:
>   http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50
> 
>   This one should be referenced under CVE-2013-2038.

Not quite right.  The problem was with NMEA0183, not with NMEA2000.  But yes,
this crash has been seen in the wild, though not in conjenction with an 
identified attack.

> * While the hypothetical one was in the AIS driver, with upstream patch:
>   http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
> 
>   Upstream 3.9 announcement "Armor the AIS driver against an implausible overrun attack."
>   would support this.

Correct.  The potential AIS overrun has *not* been observed.  The
possibility was reported by someone reading the code.

> > Application of the patch looks reasonable. Just would be good to know
> > if it was applied just like a preventive measure (no DoS right now, just
> > prevent its [possible] occurrence in the future in case of code change)
> > or if under certain circumstances it might be used to DoS gpsd too?

It is a preventive measure.  I don't think it is presently exploitable,
but I'm not *certain* it isn't.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ