Hi, On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Bernd, > > On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote: > > Hi Salvatore, > > > > > The following vulnerability was published for gpsd, not competely sure > > > on severity and on if the referenced upstream commit is enough. > > > Ideally though the fix seems ideal to go to buster. > > > > I've tried to get more information out of Upstream, but did not get a > > reply yet. So I'll prepare an upload with the mentioned commit. Looking > > trough the commit logs from gpsd it seems to be the only relevant one. > > Ack thank you for investigating, I was neither more successfull to > determine if that's enough. > > Cc;ing the security team alias, if anyone has more ideas.
I think I would also backport http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4 and http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead for good measure. But I agree that the essential fix seems to be http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19 Regards, Markus
signature.asc
Description: OpenPGP digital signature
