Re: CVE Request -- gpsd 3.9 fixing a denial of service flaw

["Eric S. Raymond" <esr () thyrsus com>]

Jan Lieskovsky <jlieskov () redhat com>:
> Hello Eric,
>
>   since there have doubts appeared:
>     https://bugs.mageia.org/show_bug.cgi?id=9969#c2

Sorry, seem I missed some earlier mail, probably due to my DNS being
temporarily deranged after I upgraded to Ubuntu 13.04.  
 
> which upstream patch has been the CVE-2013-2038 identifier assigned
> to, could you confirm / disprove the latter?
>
> * The true crash was in the NMEA(2000) driver, with upstream patch:
>   http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50
>
>   This one should be referenced under CVE-2013-2038.

Not quite right.  The problem was with NMEA0183, not with NMEA2000.  But yes,
this crash has been seen in the wild, though not in conjenction with an 
identified attack.

> * While the hypothetical one was in the AIS driver, with upstream patch:
>   http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
>
>   Upstream 3.9 announcement "Armor the AIS driver against an implausible overrun attack."
>   would support this.

Correct.  The potential AIS overrun has *not* been observed.  The
possibility was reported by someone reading the code.

> > Application of the patch looks reasonable. Just would be good to know
> > if it was applied just like a preventive measure (no DoS right now, just
> > prevent its [possible] occurrence in the future in case of code change)
> > or if under certain circumstances it might be used to DoS gpsd too?

It is a preventive measure.  I don't think it is presently exploitable,
but I'm not *certain* it isn't.
-- 
                <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>