Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 May 2013 15:41:51 -0400
From: "Eric S. Raymond" <esr@...rsus.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, Jan Lieskovsky <jlieskov@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>,
	Miroslav Lichvar <mlichvar@...hat.com>
Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of
 service flaw

Kurt Seifried <kseifried@...hat.com>:
> On 05/02/2013 03:58 AM, Jan Lieskovsky wrote:
> > @Eric - Eric, could you please help us to solve this doubt? (which 
> > of the patches is the correct one to fix the above mentioned DoS /
> > security issue)

There are two critical patches which solve two different DoSes (well,
one certain and one potential).  Yes, it's a strange coincidence that
both bugs were characterized at almost the same time after we haven't
had a crash bug since 2007.

The crash bug was in the NMEA driver.  There's particular kind of malformed
packet, sometimes emitted by SiRFStar-III receivers, that looks like this:

$GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41\r\n

See the incomplete GGA without trailing \r\n  at the front?  Usually 
that was harmless and would be silently discarded. Under rare circumstances
it could core dump (but not any more, I now have a regression test to check
this case).

That fix was commit dd9c3c2830cb8f8fd8491ce68c82698dc5538f50.

The potential crash/DoS was in the AIS driver.

The first stage of what it does is un-armor an AIVDM ASCII packet
representation into an equivalent binary packet which is then examined
for data at specific bit offsets.

The un-armoring logic was not properly bounds-checked, potentially
opening up a hole. In theory, an overlong armored packet could be
crafted to overrun the binary-packet buffer.

I'm not sure that one was exploitable; there are other properties of
the code (notably the bounds-checked maximum length of the AIVDM ASCII
packet buffer) that seem to guarantee the end of the binary packet
buffer could never be reached.

I put in a check anyway, because (a) I could be wrong about that, (b)
supposing I'm right, that invariant could get silently broken by a future 
code change.

That was commit 08edc49d8f63c75bfdfb480b083b0d960310f94f, responding 
to Savannah bug #38511.

Note: neither of these have privilege-escalation possibilities.  gpsd
needs root to initialize, but drops it long before either of these 
code defects could fire.

If you have any other questions, do not hesitate to ask.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

Download attachment "signature.asc" of type "application/pgp-signature" (191 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.