CVE-2018-17937: gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs. Need to stabilize a fixed version, we'll just depend on existing stablereq here.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65805a58b1c7920eeaf78b5ea6ec07d958ddc312 commit 65805a58b1c7920eeaf78b5ea6ec07d958ddc312 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-25 17:55:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-25 17:55:55 +0000 sci-geosciences/gpsd: cleanup old Bug: https://bugs.gentoo.org/743766 Bug: https://bugs.gentoo.org/743556 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> sci-geosciences/gpsd/Manifest | 2 - .../gpsd/files/gpsd-3.17-do_not_rm_library.patch | 12 -- .../gpsd/files/gpsd-3.17-scons-print.patch | 73 -------- .../gpsd/files/gpsd-3.17-scons-py3.patch | 143 ---------------- .../gpsd/files/gpsd-3.18.1-do_not_rm_library.patch | 11 -- .../gpsd/files/gpsd-3.19-do_not_rm_library.patch | 11 -- sci-geosciences/gpsd/gpsd-3.17-r3.ebuild | 171 ------------------- sci-geosciences/gpsd/gpsd-3.17-r4.ebuild | 175 ------------------- sci-geosciences/gpsd/gpsd-3.20.ebuild | 189 --------------------- 9 files changed, 787 deletions(-)
This issue was resolved and addressed in GLSA 202009-17 at https://security.gentoo.org/glsa/202009-17 by GLSA coordinator Sam James (sam_c).
