Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743766 (CVE-2018-17937) - <sci-geosciences/gpsd-3.18: Arbitrary code execution (CVE-2018-17937)
Summary: <sci-geosciences/gpsd-3.18: Arbitrary code execution (CVE-2018-17937)
Status: RESOLVED FIXED
Alias: CVE-2018-17937
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://us-cert.cisa.gov/ics/advisori...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 743556
Blocks:
  Show dependency tree
 
Reported: 2020-09-20 15:46 UTC by John Helmert III (ajak)
Modified: 2020-09-29 18:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-09-20 15:46:20 UTC
CVE-2018-17937:

gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.


Need to stabilize a fixed version, we'll just depend on existing stablereq here.
Comment 1 Larry the Git Cow gentoo-dev 2020-09-25 17:56:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65805a58b1c7920eeaf78b5ea6ec07d958ddc312

commit 65805a58b1c7920eeaf78b5ea6ec07d958ddc312
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-25 17:55:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-25 17:55:55 +0000

    sci-geosciences/gpsd: cleanup old
    
    Bug: https://bugs.gentoo.org/743766
    Bug: https://bugs.gentoo.org/743556
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 sci-geosciences/gpsd/Manifest                      |   2 -
 .../gpsd/files/gpsd-3.17-do_not_rm_library.patch   |  12 --
 .../gpsd/files/gpsd-3.17-scons-print.patch         |  73 --------
 .../gpsd/files/gpsd-3.17-scons-py3.patch           | 143 ----------------
 .../gpsd/files/gpsd-3.18.1-do_not_rm_library.patch |  11 --
 .../gpsd/files/gpsd-3.19-do_not_rm_library.patch   |  11 --
 sci-geosciences/gpsd/gpsd-3.17-r3.ebuild           | 171 -------------------
 sci-geosciences/gpsd/gpsd-3.17-r4.ebuild           | 175 -------------------
 sci-geosciences/gpsd/gpsd-3.20.ebuild              | 189 ---------------------
 9 files changed, 787 deletions(-)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-09-29 18:12:57 UTC
This issue was resolved and addressed in
 GLSA 202009-17 at https://security.gentoo.org/glsa/202009-17
by GLSA coordinator Sam James (sam_c).