Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20130508013001.GB21927@thyrsus.com>
Date: Tue, 7 May 2013 21:30:01 -0400
From: "Eric S. Raymond" <esr@...rsus.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: Kurt Seifried <kseifried@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Miroslav Lichvar <mlichvar@...hat.com>,
	oss-security@...ts.openwall.com
Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of
 service flaw

Jan Lieskovsky <jlieskov@...hat.com>:
> Hello Eric,
> 
>   since there have doubts appeared:
>     https://bugs.mageia.org/show_bug.cgi?id=9969#c2

Sorry, seem I missed some earlier mail, probably due to my DNS being
temporarily deranged after I upgraded to Ubuntu 13.04.  
 
> which upstream patch has been the CVE-2013-2038 identifier assigned
> to, could you confirm / disprove the latter?
> 
> * The true crash was in the NMEA(2000) driver, with upstream patch:
>   http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50
> 
>   This one should be referenced under CVE-2013-2038.

Not quite right.  The problem was with NMEA0183, not with NMEA2000.  But yes,
this crash has been seen in the wild, though not in conjenction with an 
identified attack.

> * While the hypothetical one was in the AIS driver, with upstream patch:
>   http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
> 
>   Upstream 3.9 announcement "Armor the AIS driver against an implausible overrun attack."
>   would support this.

Correct.  The potential AIS overrun has *not* been observed.  The
possibility was reported by someone reading the code.

> > Application of the patch looks reasonable. Just would be good to know
> > if it was applied just like a preventive measure (no DoS right now, just
> > prevent its [possible] occurrence in the future in case of code change)
> > or if under certain circumstances it might be used to DoS gpsd too?

It is a preventive measure.  I don't think it is presently exploitable,
but I'm not *certain* it isn't.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.