Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:gpsd User: [email protected] Usertags: pu
[ Reason ] CVE-2025-67268 CVE-2025-67269 [ Impact ] CVE are not fixed [ Tests ] Automated during build [ Risks ] Low [ Checklist ] X ] *all* changes are documented in the d/changelog X ] I reviewed all changes and I approve them X ] attach debdiff against the package in (old)stable X ] the issue is verified as fixed in unstable [ Changes ] CVE patches and salsaCI fix including a patch removing a systematic rebuild of all rdeps (superseded and considered bad for salsa) [ Other info ]
diff -Nru gpsd-3.25/debian/.gitlab-ci.yml gpsd-3.25/debian/.gitlab-ci.yml --- gpsd-3.25/debian/.gitlab-ci.yml 2024-02-11 12:51:29.000000000 +0000 +++ gpsd-3.25/debian/.gitlab-ci.yml 2026-01-17 16:51:45.000000000 +0000 @@ -1,10 +1,9 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml - - https://salsa.debian.org/bbonev/pkg-gpsd/-/raw/master/debian/.salsa-ci/rdeps-gpsd.yaml variables: - RELEASE: 'unstable' + RELEASE: 'trixie' SALSA_CI_DISABLE_APTLY: 0 SALSA_CI_DISABLE_AUTOPKGTEST: 0 SALSA_CI_DISABLE_BLHC: 0 diff -Nru gpsd-3.25/debian/.salsa-ci/rdeps-gpsd.yaml gpsd-3.25/debian/.salsa-ci/rdeps-gpsd.yaml --- gpsd-3.25/debian/.salsa-ci/rdeps-gpsd.yaml 2023-06-28 21:25:56.000000000 +0000 +++ gpsd-3.25/debian/.salsa-ci/rdeps-gpsd.yaml 1970-01-01 00:00:00.000000000 +0000 @@ -1,159 +0,0 @@ -.rdep-build-before-script: &rdep-build-before-script | - # Reported in https://salsa.debian.org/salsa-ci-team/pipeline/issues/104, - # GitLab can only expand variables once. So at the beginning CCACHE_WORK_DIR - # was assigned to `${WORKING_DIR}/.ccache`, and it will be expanded as - # `$CI_PROJECT_DIR/debian/output/.ccache`, so it creates a folder named - # "\$CI_PROJECT_DIR", which is then saved as build cache. To allow smooth - # transition, that wrongly named folder has to be removed: - rm -rf '$CI_PROJECT_DIR' - - # salsa-ci-team/pipeline#107 - rm -rf ${CI_PROJECT_DIR}/debian/output/.ccache - - mkdir -p ${WORKING_DIR} ${CCACHE_WORK_DIR} - - # https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/230 - rm -rf ${CCACHE_TMP_DIR} - - mv ${CCACHE_WORK_DIR} ${CCACHE_TMP_DIR} - add_extra_repository.sh -v -e "${SALSA_CI_EXTRA_REPOSITORY}" -k "${SALSA_CI_EXTRA_REPOSITORY_KEY}" - - -.rdep-build-script: &rdep-build-script | - export CCACHE_DIR=${CCACHE_TMP_DIR} - # Add deb-src entries - sed -i 's/^Types:.*/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources - apt-get update && eatmydata apt-get install --no-install-recommends -y \ - aptitude \ - devscripts \ - ccache \ - equivs \ - build-essential - apt -y build-dep ${REVERSE_DEP} - # install built packages - dpkg -i ${WORKING_DIR}/*.deb || apt -y -f install - # download source - cd ${WORKING_DIR} - # Generate ccache links - dpkg-reconfigure ccache - PATH="/usr/lib/ccache/:${PATH}" - # Reset ccache stats - ccache -z - # Create salsaci user and fix permissions - useradd salsaci - chown -R salsaci. ${WORKING_DIR} ${CCACHE_DIR} - # Define buildlog filename - BUILD_LOGFILE="${WORKING_DIR}/${REVERSE_DEP}.build" - # Build package as user salsaci - su salsaci -c "eatmydata apt source -b ${REVERSE_DEP}" |& OUTPUT_FILENAME=${BUILD_LOGFILE} filter-output - # Restore PWD to ${WORKING_DIR} - cd ${WORKING_DIR} - rm -rf ${WORKING_DIR}/${REVERSE_DEP}* - # Print ccache stats on job log - ccache -s - -.rdep-build-definition: &rdep-build-definition - stage: test - image: $SALSA_CI_IMAGES_BASE - cache: - key: "${REVERSE_DEP}-build" - paths: - - .ccache - except: - variables: - - $SALSA_CI_ENABLE_REVERSE_DEPENDENCY_BUILD !~ /^(1|yes|true)$/ - - $CI_COMMIT_TAG != null && $SALSA_CI_ENABLE_PIPELINE_ON_TAGS !~ /^(1|yes|true)$/ - - $CI_MERGE_REQUEST_ID != null - variables: - CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache - CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache - script: - - *rdep-build-before-script - - *rdep-build-script - - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR} - needs: - - job: build - artifacts: true - - - - - - -build-rdep-alfred: - variables: - REVERSE_DEP: alfred - extends: .rdep-build-definition - - -build-rdep-collectd: - variables: - REVERSE_DEP: collectd - extends: .rdep-build-definition - - -build-rdep-direwolf: - variables: - REVERSE_DEP: direwolf - extends: .rdep-build-definition - - -build-rdep-foxtrotgps: - variables: - REVERSE_DEP: foxtrotgps - extends: .rdep-build-definition - - -build-rdep-indi-gpsd: - variables: - REVERSE_DEP: indi-gpsd - extends: .rdep-build-definition - - -build-rdep-marble: - variables: - REVERSE_DEP: marble - extends: .rdep-build-definition - - -build-rdep-merkaartor: - variables: - REVERSE_DEP: merkaartor - extends: .rdep-build-definition - - -build-rdep-navit: - variables: - REVERSE_DEP: navit - extends: .rdep-build-definition - - -build-rdep-osmo-bts: - variables: - REVERSE_DEP: osmo-bts - extends: .rdep-build-definition - - -build-rdep-plasma-workspace: - variables: - REVERSE_DEP: plasma-workspace - extends: .rdep-build-definition - - -build-rdep-s3d: - variables: - REVERSE_DEP: s3d - extends: .rdep-build-definition - - -build-rdep-uhd: - variables: - REVERSE_DEP: uhd - extends: .rdep-build-definition - - -build-rdep-viking: - variables: - REVERSE_DEP: viking - extends: .rdep-build-definition - diff -Nru gpsd-3.25/debian/changelog gpsd-3.25/debian/changelog --- gpsd-3.25/debian/changelog 2025-01-19 16:06:33.000000000 +0000 +++ gpsd-3.25/debian/changelog 2026-01-17 16:51:45.000000000 +0000 @@ -1,3 +1,29 @@ +gpsd (3.25-5+deb13u1) trixie; urgency=medium + + * Non-Maintainer Upload by LTS team + * Fix CVE-2025-67268 (Closes: #1124800). + gpsd contains a heap-based out-of-bounds write + vulnerability in the drivers/driver_nmea2000.c file. + The hnd_129540 function, which handles NMEA2000 PGN 129540 + (GNSS Satellites in View) packets, fails to validate the + user-supplied satellite count against the size of the skyview + array (184 elements). This allows an attacker to write beyond + the bounds of the array by providing a satellite count up + to 255, leading to memory corruption, Denial of Service (DoS), + and potentially arbitrary code execution. + * Fix CVE-2025-67269 (Closes: #1124799). + An integer underflow vulnerability exists in the `nextstate()` + function in `gpsd/packet.c`. + When parsing a NAVCOM packet, the payload length is calculated + using `lexer->length = (size_t)c - 4` without checking if + the input byte `c` is less than 4. This results in an unsigned + integer underflow, setting `lexer->length` to a very large value + (near `SIZE_MAX`). The parser then enters a loop attempting to + consume this massive number of bytes, causing 100% CPU utilization + and a Denial of Service (DoS) condition. + + -- Bastien Roucariès <[email protected]> Sat, 17 Jan 2026 17:51:45 +0100 + gpsd (3.25-5) unstable; urgency=medium * Fix apparmor profile to work on usrmerged systems too (Closes: #1093437) diff -Nru gpsd-3.25/debian/patches/CVE-2025-67268.patch gpsd-3.25/debian/patches/CVE-2025-67268.patch --- gpsd-3.25/debian/patches/CVE-2025-67268.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpsd-3.25/debian/patches/CVE-2025-67268.patch 2026-01-17 16:51:45.000000000 +0000 @@ -0,0 +1,374 @@ +From: "Gary E. Miller" <[email protected]> +Date: Sat, 17 Jan 2026 17:43:51 +0100 +Subject: [PATCH] drivers/driver_nmea2000.c: Fix issue 356, + skyview buffer overrun. + +origin: https://gitlab.com/gpsd/gpsd/-/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4 +debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124800 +--- + drivers/driver_nmea2000.c | 123 ++++++++++++++++++++++++++-------------------- + 1 file changed, 71 insertions(+), 52 deletions(-) + +diff --git a/drivers/driver_nmea2000.c b/drivers/driver_nmea2000.c +index 66959f0..70462b3 100644 +--- a/drivers/driver_nmea2000.c ++++ b/drivers/driver_nmea2000.c +@@ -12,11 +12,11 @@ + * Message contents can be had from canboat/analyzer: + * analyzer -explain + * +- * This file is Copyright 2012 by the GPSD project ++ * This file is Copyright by the GPSD project + * SPDX-License-Identifier: BSD-2-clause + */ + +-#include "../include/gpsd_config.h" /* must be before all includes */ ++#include "../include/gpsd_config.h" // must be before all includes + + #if defined(NMEA2000_ENABLE) + +@@ -68,7 +68,7 @@ typedef struct PGN + + #if LOG_FILE + FILE *logFile = NULL; +-#endif /* of if LOG_FILE */ ++#endif // of if LOG_FILE + + extern bool __attribute__ ((weak)) gpsd_add_device(const char *device_name, + bool flag_nowait); +@@ -89,14 +89,14 @@ static int scale_int(int32_t var, const int64_t factor) + static void print_data(struct gps_context_t *context, + unsigned char *buffer, int len, PGN *pgn) + { +- if ((libgps_debuglevel >= LOG_IO) != 0) { +- int l1, l2, ptr; ++ if (LOG_IO <= libgps_debuglevel) { ++ int l1; + char bu[128]; + +- ptr = 0; +- l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len); ++ int ptr = 0; ++ int l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len); + ptr += l2; +- for (l1=0;l1<len;l1++) { ++ for (l1 = 0; l1 < len; l1++) { + if (((l1 % 20) == 0) && (l1 != 0)) { + GPSD_LOG(LOG_IO, &context->errout, "%s\n", bu); + ptr = 0; +@@ -276,7 +276,7 @@ static gps_mask_t hnd_127258(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { + print_data(session->context, bu, len, pgn); +- /* FIXME? Get magnetic variation */ ++ // FIXME? Get magnetic variation + GPSD_LOG(LOG_DATA, &session->context->errout, + "pgn %6d(%3d):\n", pgn->pgn, session->driver.nmea2000.unit); + return(0); +@@ -358,7 +358,7 @@ static gps_mask_t hnd_126992(unsigned char *bu, int len, PGN *pgn, + { + // uint8_t sid; + // uint8_t source; +- uint64_t usecs; /* time in us */ ++ uint64_t usecs; // time in us + + print_data(session->context, bu, len, pgn); + GPSD_LOG(LOG_DATA, &session->context->errout, +@@ -434,6 +434,7 @@ static gps_mask_t hnd_129540(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { + int l1; ++ int expected_len; + + print_data(session->context, bu, len, pgn); + GPSD_LOG(LOG_DATA, &session->context->errout, +@@ -441,24 +442,39 @@ static gps_mask_t hnd_129540(unsigned char *bu, int len, PGN *pgn, + + session->driver.nmea2000.sid[2] = bu[0]; + session->gpsdata.satellites_visible = (int)bu[2]; ++ if (MAXCHANNELS <= session->gpsdata.satellites_visible) { ++ // Handle a CVE for overrunning skyview[] ++ GPSD_LOG(LOG_WARN, &session->context->errout, ++ "pgn %6d(%3d): Too many sats %d\n", ++ pgn->pgn, session->driver.nmea2000.unit, ++ session->gpsdata.satellites_visible); ++ session->gpsdata.satellites_visible = MAXCHANNELS; ++ } ++ expected_len = 3 + (12 * session->gpsdata.satellites_visible); ++ if (len != expected_len) { ++ GPSD_LOG(LOG_WARN, &session->context->errout, ++ "pgn %6d(%3d): wrong length %d s/b %d\n", ++ pgn->pgn, session->driver.nmea2000.unit, ++ len, expected_len); ++ return 0; ++ } + + memset(session->gpsdata.skyview, '\0', sizeof(session->gpsdata.skyview)); +- for (l1=0;l1<session->gpsdata.satellites_visible;l1++) { +- int svt; +- double azi, elev, snr; +- +- elev = getles16(bu, 3+12*l1+1) * 1e-4 * RAD_2_DEG; +- azi = getleu16(bu, 3+12*l1+3) * 1e-4 * RAD_2_DEG; +- snr = getles16(bu, 3+12*l1+5) * 1e-2; ++ for (l1 = 0; l1 < session->gpsdata.satellites_visible; l1++) { ++ int offset = 3 + (12 * l1); ++ double elev = getles16(bu, offset + 1) * 1e-4 * RAD_2_DEG; ++ double azi = getleu16(bu, offset + 3) * 1e-4 * RAD_2_DEG; ++ double snr = getles16(bu, offset + 5) * 1e-2; + +- svt = (int)(bu[3+12*l1+11] & 0x0f); ++ int svt = (int)(bu[offset + 11] & 0x0f); + +- session->gpsdata.skyview[l1].elevation = (short) (round(elev)); +- session->gpsdata.skyview[l1].azimuth = (short) (round(azi)); ++ session->gpsdata.skyview[l1].elevation = elev; ++ session->gpsdata.skyview[l1].azimuth = azi; + session->gpsdata.skyview[l1].ss = snr; +- session->gpsdata.skyview[l1].PRN = (short)bu[3+12*l1+0]; ++ session->gpsdata.skyview[l1].PRN = (int16_t)bu[offset]; + session->gpsdata.skyview[l1].used = false; +- if ((svt == 2) || (svt == 5)) { ++ if ((2 == svt) || ++ (5 == svt)) { + session->gpsdata.skyview[l1].used = true; + } + } +@@ -588,7 +604,7 @@ static gps_mask_t hnd_129029(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { + gps_mask_t mask; +- uint64_t usecs; /* time in us */ ++ uint64_t usecs; // time in us + + print_data(session->context, bu, len, pgn); + GPSD_LOG(LOG_DATA, &session->context->errout, +@@ -675,7 +691,7 @@ static gps_mask_t hnd_129038(unsigned char *bu, int len, PGN *pgn, + (unsigned int)ais_direction((unsigned int)getleu16(bu, 21), 1.0); + ais->type1.turn = ais_turn_rate((int)getles16(bu, 23)); + ais->type1.status = (unsigned int) ((bu[25] >> 0) & 0x0f); +- ais->type1.maneuver = 0; /* Not transmitted ???? */ ++ ais->type1.maneuver = 0; // Not transmitted ???? + decode_ais_channel_info(bu, len, 163, session); + + return(ONLINE_SET | AIS_SET); +@@ -730,8 +746,9 @@ static gps_mask_t hnd_129039(unsigned char *bu, int len, PGN *pgn, + + /* + * PGN 129040: AIS Class B Extended Position Report ++ * ++ * No test case for this message at the moment + */ +-/* No test case for this message at the moment */ + static gps_mask_t hnd_129040(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { +@@ -781,8 +798,8 @@ static gps_mask_t hnd_129040(unsigned char *bu, int len, PGN *pgn, + ais->type19.epfd = (unsigned int) ((bu[23] >> 4) & 0x0f); + ais->type19.dte = (unsigned int) ((bu[52] >> 0) & 0x01); + ais->type19.assigned = (bool) ((bu[52] >> 1) & 0x01); +- for (l=0;l<AIS_SHIPNAME_MAXLEN;l++) { +- ais->type19.shipname[l] = (char) bu[32+l]; ++ for (l = 0; l < AIS_SHIPNAME_MAXLEN; l++) { ++ ais->type19.shipname[l] = (char)bu[32+l]; + } + ais->type19.shipname[AIS_SHIPNAME_MAXLEN] = (char) 0; + decode_ais_channel_info(bu, len, 422, session); +@@ -914,7 +931,7 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + ais->type5.draught = (unsigned int) (getleu16(bu, 51)/10); + ais->type5.dte = (unsigned int) ((bu[73] >> 6) & 0x01); + +- for (l=0,cpy_stop=0;l<7;l++) { ++ for (l = 0, cpy_stop = 0; l < 7; l++) { + char next; + + next = (char) bu[9+l]; +@@ -929,7 +946,7 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + } + ais->type5.callsign[7] = (char) 0; + +- for (l=0,cpy_stop=0;l<AIS_SHIPNAME_MAXLEN;l++) { ++ for (l = 0, cpy_stop = 0; l < AIS_SHIPNAME_MAXLEN; l++) { + char next; + + next = (char) bu[16+l]; +@@ -944,7 +961,7 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + } + ais->type5.shipname[AIS_SHIPNAME_MAXLEN] = (char) 0; + +- for (l=0,cpy_stop=0;l<20;l++) { ++ for (l = 0, cpy_stop = 0; l < 20; l++) { + char next; + + next = (char) bu[53+l]; +@@ -978,7 +995,7 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + date2.tm_year+1900, + ais->type5.hour, + ais->type5.minute); +-#endif /* of #if NMEA2000_DEBUG_AIS */ ++#endif // end of #if NMEA2000_DEBUG_AIS + decode_ais_channel_info(bu, len, 592, session); + return(ONLINE_SET | AIS_SET); + } +@@ -988,8 +1005,9 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + + /* + * PGN 129798: AIS SAR Aircraft Position Report ++ * ++ * No test case for this message at the moment + */ +-/* No test case for this message at the moment */ + static gps_mask_t hnd_129798(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { +@@ -1016,8 +1034,8 @@ static gps_mask_t hnd_129798(unsigned char *bu, int len, PGN *pgn, + ais->type9.alt = (unsigned int) (getleu64(bu, 21)/1000000); + ais->type9.regional = (unsigned int) ((bu[29] >> 0) & 0xff); + ais->type9.dte = (unsigned int) ((bu[30] >> 0) & 0x01); +-/* ais->type9.spare = (bu[30] >> 1) & 0x7f; */ +- ais->type9.assigned = 0; /* Not transmitted ???? */ ++// ais->type9.spare = (bu[30] >> 1) & 0x7f; ++ ais->type9.assigned = 0; // Not transmitted ???? + decode_ais_channel_info(bu, len, 163, session); + + return(ONLINE_SET | AIS_SET); +@@ -1028,8 +1046,9 @@ static gps_mask_t hnd_129798(unsigned char *bu, int len, PGN *pgn, + + /* + * PGN 129802: AIS Safety Related Broadcast Message ++ * ++ * No test case for this message at the moment + */ +-/* No test case for this message at the moment */ + static gps_mask_t hnd_129802(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { +@@ -1043,8 +1062,8 @@ static gps_mask_t hnd_129802(unsigned char *bu, int len, PGN *pgn, + if (decode_ais_header(session->context, bu, len, ais, 0x3fffffff) != 0) { + int l; + +-/* ais->type14.channel = (bu[ 5] >> 0) & 0x1f; */ +- for (l=0;l<36;l++) { ++// ais->type14.channel = (bu[ 5] >> 0) & 0x1f; ++ for (l = 0; l < 36; l++) { + ais->type14.text[l] = (char) bu[6+l]; + } + ais->type14.text[36] = (char) 0; +@@ -1079,7 +1098,7 @@ static gps_mask_t hnd_129809(unsigned char *bu, int len, PGN *pgn, + "NMEA2000: AIS message 24A from %09u stashed.\n", + ais->mmsi); + +- for (l=0;l<AIS_SHIPNAME_MAXLEN;l++) { ++ for (l = 0; l < AIS_SHIPNAME_MAXLEN; l++) { + ais->type24.shipname[l] = (char) bu[ 5+l]; + saveptr->shipname[l] = (char) bu[ 5+l]; + } +@@ -1119,12 +1138,12 @@ static gps_mask_t hnd_129810(unsigned char *bu, int len, PGN *pgn, + + ais->type24.shiptype = (unsigned int) ((bu[ 5] >> 0) & 0xff); + +- for (l=0;l<7;l++) { ++ for (l = 0; l < 7; l++) { + ais->type24.vendorid[l] = (char) bu[ 6+l]; + } + ais->type24.vendorid[7] = (char) 0; + +- for (l=0;l<7;l++) { ++ for (l = 0; l < 7; l++) { + ais->type24.callsign[l] = (char) bu[13+l]; + } + ais->type24.callsign[7] = (char )0; +@@ -1158,7 +1177,7 @@ static gps_mask_t hnd_129810(unsigned char *bu, int len, PGN *pgn, + for (i = 0; i < MAX_TYPE24_INTERLEAVE; i++) { + if (session->driver.aivdm.context[0].type24_queue.ships[i].mmsi == + ais->mmsi) { +- for (l=0;l<AIS_SHIPNAME_MAXLEN;l++) { ++ for (l = 0; l < AIS_SHIPNAME_MAXLEN; l++) { + ais->type24.shipname[l] = + (char)(session->driver.aivdm.context[0].type24_queue.ships[i].shipname[l]); + } +@@ -1566,7 +1585,7 @@ static void find_pgn(struct can_frame *frame, struct gps_device_t *session) + frame->can_id & 0x1ffffff); + if ((frame->can_dlc & 0x0f) > 0) { + int l1; +- for(l1=0;l1<(frame->can_dlc & 0x0f);l1++) { ++ for(l1 = 0; l1 < (frame->can_dlc & 0x0f); l1++) { + (void)fprintf(logFile, "%02x", frame->data[l1]); + } + } +@@ -1591,8 +1610,8 @@ static void find_pgn(struct can_frame *frame, struct gps_device_t *session) + if (!session->driver.nmea2000.unit_valid) { + unsigned int l1, l2; + +- for (l1=0;l1<NMEA2000_NETS;l1++) { +- for (l2=0;l2<NMEA2000_UNITS;l2++) { ++ for (l1 = 0; l1 < NMEA2000_NETS; l1++) { ++ for (l2 = 0; l2 < NMEA2000_UNITS; l2++) { + if (session == nmea2000_units[l1][l2]) { + session->driver.nmea2000.unit = l2; + session->driver.nmea2000.unit_valid = true; +@@ -1641,7 +1660,7 @@ static void find_pgn(struct can_frame *frame, struct gps_device_t *session) + "pgn %6d:%s \n", work->pgn, work->name); + session->driver.nmea2000.workpgn = (void *) work; + session->lexer.outbuflen = frame->can_dlc & 0x0f; +- for (l2=0;l2<session->lexer.outbuflen;l2++) { ++ for (l2 = 0; l2 < session->lexer.outbuflen; l2++) { + session->lexer.outbuffer[l2]= frame->data[l2]; + } + } else if ((frame->data[0] & 0x1f) == 0) { +@@ -1659,7 +1678,7 @@ static void find_pgn(struct can_frame *frame, struct gps_device_t *session) + #endif /* of #if NMEA2000_FAST_DEBUG */ + session->lexer.inbuflen = 0; + session->driver.nmea2000.idx += 1; +- for (l2=2;l2<8;l2++) { ++ for (l2 = 2; l2 < 8; l2++) { + session->lexer.inbuffer[session->lexer.inbuflen++] = + frame->data[l2]; + } +@@ -1668,7 +1687,7 @@ static void find_pgn(struct can_frame *frame, struct gps_device_t *session) + } else if (frame->data[0] == session->driver.nmea2000.idx) { + unsigned int l2; + +- for (l2=1;l2<8;l2++) { ++ for (l2 = 1; l2 < 8; l2++) { + if (session->driver.nmea2000.fast_packet_len > + session->lexer.inbuflen) { + session->lexer.inbuffer[session->lexer.inbuflen++] = +@@ -1689,7 +1708,7 @@ static void find_pgn(struct can_frame *frame, struct gps_device_t *session) + session->driver.nmea2000.workpgn = (void *) work; + session->lexer.outbuflen = + session->driver.nmea2000.fast_packet_len; +- for(l2 = 0;l2 < (unsigned int)session->lexer.outbuflen; ++ for(l2 = 0; l2 < (unsigned int)session->lexer.outbuflen; + l2++) { + session->lexer.outbuffer[l2] = + session->lexer.inbuffer[l2]; +@@ -1791,7 +1810,7 @@ int nmea2000_open(struct gps_device_t *session) + (void)strlcpy(interface_name, session->gpsdata.dev.path + 11, + sizeof(interface_name)); + unit_ptr = NULL; +- for (l=0;l<strnlen(interface_name,sizeof(interface_name));l++) { ++ for (l = 0; l < strnlen(interface_name, sizeof(interface_name)); l++) { + if (interface_name[l] == ':') { + unit_ptr = &interface_name[l+1]; + interface_name[l] = 0; +@@ -1908,7 +1927,7 @@ int nmea2000_open(struct gps_device_t *session) + interface_name, + MIN(sizeof(can_interface_name[0]), sizeof(interface_name))); + session->driver.nmea2000.unit_valid = false; +- for (l=0;l<NMEA2000_UNITS;l++) { ++ for (l = 0; l < NMEA2000_UNITS; l++) { + nmea2000_units[can_net][l] = NULL; + } + } +@@ -1931,8 +1950,8 @@ void nmea2000_close(struct gps_device_t *session) + if (session->driver.nmea2000.unit_valid) { + unsigned int l1, l2; + +- for (l1=0;l1<NMEA2000_NETS;l1++) { +- for (l2=0;l2<NMEA2000_UNITS;l2++) { ++ for (l1 = 0; l1 < NMEA2000_NETS; l1++) { ++ for (l2 = 0; l2 < NMEA2000_UNITS; l2++) { + if (session == nmea2000_units[l1][l2]) { + session->driver.nmea2000.unit_valid = false; + session->driver.nmea2000.unit = 0; diff -Nru gpsd-3.25/debian/patches/CVE-2025-67269.patch gpsd-3.25/debian/patches/CVE-2025-67269.patch --- gpsd-3.25/debian/patches/CVE-2025-67269.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpsd-3.25/debian/patches/CVE-2025-67269.patch 2026-01-17 16:51:45.000000000 +0000 @@ -0,0 +1,147 @@ +From: "Gary E. Miller" <[email protected]> +Date: Wed, 3 Dec 2025 19:04:03 -0800 +Subject: [PATCH] gpsd/packet.c: Fix integer underflow is malicious Navcom + packet + +Causes DoS. Fix issue 358 +origin: backport, https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124799 +--- + gpsd/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 47 insertions(+), 16 deletions(-) + +diff --git a/gpsd/packet.c b/gpsd/packet.c +index 78efb28..6778981 100644 +--- a/gpsd/packet.c ++++ b/gpsd/packet.c +@@ -1020,18 +1020,22 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + #endif // SIRF_ENABLE || SKYTRAQ_ENABLE + #ifdef SIRF_ENABLE + case SIRF_LEADER_2: +- // first part of length +- lexer->length = (size_t) (c << 8); ++ // first part of length, MSB ++ lexer->length = (c & 0x7f) << 8; ++ if (lexer->length > MAX_PACKET_LENGTH) { ++ lexer->length = 0; ++ return character_pushback(lexer, GROUND_STATE); ++ } // else + lexer->state = SIRF_LENGTH_1; + break; + case SIRF_LENGTH_1: + // second part of length + lexer->length += c + 2; +- if (lexer->length <= MAX_PACKET_LENGTH) { +- lexer->state = SIRF_PAYLOAD; +- } else { ++ if (lexer->length > MAX_PACKET_LENGTH) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); +- } ++ } // else ++ lexer->state = SIRF_PAYLOAD; + break; + case SIRF_PAYLOAD: + if (0 == --lexer->length) { +@@ -1073,6 +1077,7 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + return character_pushback(lexer, GROUND_STATE); + } + if (MAX_PACKET_LENGTH < lexer->length) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); + } + lexer->state = SKY_PAYLOAD; +@@ -1255,14 +1260,29 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + } + break; + case NAVCOM_LEADER_3: ++ // command ID + lexer->state = NAVCOM_ID; + break; + case NAVCOM_ID: +- lexer->length = (size_t)c - 4; ++ /* Length LSB ++ * Navcom length includes command ID, length bytes. and checksum. ++ * So for more than just the payload length. ++ * Minimum 4 bytes */ ++ if (4 > c) { ++ return character_pushback(lexer, GROUND_STATE); ++ } ++ lexer->length = c; + lexer->state = NAVCOM_LENGTH_1; + break; + case NAVCOM_LENGTH_1: ++ // Length USB. Navcom allows payload length up to 65,531 + lexer->length += (c << 8); ++ // don't count ID, length and checksum in payload length ++ lexer->length -= 4; ++ if (MAX_PACKET_LENGTH < lexer->length) { ++ lexer->length = 0; ++ return character_pushback(lexer, GROUND_STATE); ++ } // else + lexer->state = NAVCOM_LENGTH_2; + break; + case NAVCOM_LENGTH_2: +@@ -1389,11 +1409,11 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + lexer->length += 2; // checksum + // 10 bytes is the length of the Zodiac header + // no idea what Zodiac max length really is +- if ((MAX_PACKET_LENGTH - 10) >= lexer->length) { +- lexer->state = ZODIAC_PAYLOAD; +- } else { ++ if ((MAX_PACKET_LENGTH - 10) < lexer->length) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); +- } ++ } // else ++ lexer->state = ZODIAC_PAYLOAD; + break; + case ZODIAC_PAYLOAD: + if (0 == --lexer->length) { +@@ -1429,6 +1449,7 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + lexer->state = UBX_LENGTH_2; + } else { + // bad length ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); + } + break; +@@ -1575,16 +1596,16 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + lexer->state = GEOSTAR_MESSAGE_ID_2; + break; + case GEOSTAR_MESSAGE_ID_2: +- lexer->length = (size_t)c * 4; ++ lexer->length = c * 4; + lexer->state = GEOSTAR_LENGTH_1; + break; + case GEOSTAR_LENGTH_1: + lexer->length += (c << 8) * 4; +- if (MAX_PACKET_LENGTH >= lexer->length) { +- lexer->state = GEOSTAR_LENGTH_2; +- } else { ++ if (MAX_PACKET_LENGTH < lexer->length) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); +- } ++ } // else ++ lexer->state = GEOSTAR_LENGTH_2; + break; + case GEOSTAR_LENGTH_2: + lexer->state = GEOSTAR_PAYLOAD; +@@ -1896,6 +1917,16 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + #endif // STASH_ENABLE + } + ++ /* Catch length overflow. Should not happen. ++ * length is size_t, so underflow looks like overflow too. */ ++ if (MAX_PACKET_LENGTH <= lexer->length) { ++ GPSD_LOG(LOG_WARN, &lexer->errout, ++ "Too long: %zu state %u %s c x%x\n", ++ lexer->length, lexer->state, state_table[lexer->state], c); ++ // exit(255); ++ lexer->length = 0; ++ return character_pushback(lexer, GROUND_STATE); ++ } + return true; // no pushback + } + diff -Nru gpsd-3.25/debian/patches/series gpsd-3.25/debian/patches/series --- gpsd-3.25/debian/patches/series 2023-06-28 20:38:27.000000000 +0000 +++ gpsd-3.25/debian/patches/series 2026-01-17 16:51:45.000000000 +0000 @@ -1,5 +1,3 @@ -# helper script, not an actual patch -# add_patch.sh systemd-documentation.patch full-systemd-support gpsd_hotplug_rules_disable_generic_serial_converters @@ -7,3 +5,5 @@ desktop-add-keywords.patch man-page-typos.patch build-on-hurd.patch +CVE-2025-67268.patch +CVE-2025-67269.patch
signature.asc
Description: This is a digitally signed message part.
