Date: Thu, 2 May 2013 15:41:51 -0400 From: "Eric S. Raymond" <esr@...rsus.com> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com, Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Miroslav Lichvar <mlichvar@...hat.com> Subject: Re: CVE Request -- gpsd 3.9 fixing a denial of service flaw Kurt Seifried <kseifried@...hat.com>: > On 05/02/2013 03:58 AM, Jan Lieskovsky wrote: > > @Eric - Eric, could you please help us to solve this doubt? (which > > of the patches is the correct one to fix the above mentioned DoS / > > security issue) There are two critical patches which solve two different DoSes (well, one certain and one potential). Yes, it's a strange coincidence that both bugs were characterized at almost the same time after we haven't had a crash bug since 2007. The crash bug was in the NMEA driver. There's particular kind of malformed packet, sometimes emitted by SiRFStar-III receivers, that looks like this: $GPGGA,030130$GPGLL,2638.1728,N,08011.3893,W,030131.000,A,A*41\r\n See the incomplete GGA without trailing \r\n at the front? Usually that was harmless and would be silently discarded. Under rare circumstances it could core dump (but not any more, I now have a regression test to check this case). That fix was commit dd9c3c2830cb8f8fd8491ce68c82698dc5538f50. The potential crash/DoS was in the AIS driver. The first stage of what it does is un-armor an AIVDM ASCII packet representation into an equivalent binary packet which is then examined for data at specific bit offsets. The un-armoring logic was not properly bounds-checked, potentially opening up a hole. In theory, an overlong armored packet could be crafted to overrun the binary-packet buffer. I'm not sure that one was exploitable; there are other properties of the code (notably the bounds-checked maximum length of the AIVDM ASCII packet buffer) that seem to guarantee the end of the binary packet buffer could never be reached. I put in a check anyway, because (a) I could be wrong about that, (b) supposing I'm right, that invariant could get silently broken by a future code change. That was commit 08edc49d8f63c75bfdfb480b083b0d960310f94f, responding to Savannah bug #38511. Note: neither of these have privilege-escalation possibilities. gpsd needs root to initialize, but drops it long before either of these code defects could fire. If you have any other questions, do not hesitate to ask. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a> Download attachment "signature.asc" of type "application/pgp-signature" (191 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.