Source: gpsd Version: 3.27.5-0.1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gpsd. CVE-2026-58459[0]: | gpsd through release-3.27.5, fixed at commit 4c06658, contains a | command injection vulnerability in gpsprof that allows attackers who | control the GPS device subtype value to execute arbitrary shell | commands by embedding backtick payloads in the gnuplot plot title | without proper escaping. The subtype field sourced from a DEVICES | JSON log entry or NMEA PGRMT sentence is written into a generated | gnuplot program via a set title statement with only double-quote | characters escaped, enabling arbitrary shell command execution as | the user running gnuplot when the victim renders the generated plot | through the gpsprof and gnuplot workflow. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-58459 https://www.cve.org/CVERecord?id=CVE-2026-58459 [1] https://gitlab.com/gpsd/gpsd/-/work_items/404#note_3534119267 [2] https://github.com/ntpsec/gpsd/commit/5581ba196d826a984fbfaf792b7d58535f9911ce [3] https://github.com/ntpsec/gpsd/commit/1a6bb7bcbdf58aa940132e630870af061dc88537 [4] https://github.com/ntpsec/gpsd/commit/4c06658e988f4ced1a7a574ce082a22ef625df56 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

