Source: gpsd
Version: 3.27.5-0.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for gpsd.

CVE-2026-58459[0]:
| gpsd through release-3.27.5, fixed at commit 4c06658, contains a
| command injection vulnerability in gpsprof that allows attackers who
| control the GPS device subtype value to execute arbitrary shell
| commands by embedding backtick payloads in the gnuplot plot title
| without proper escaping. The subtype field sourced from a DEVICES
| JSON log entry or NMEA PGRMT sentence is written into a generated
| gnuplot program via a set title statement with only double-quote
| characters escaped, enabling arbitrary shell command execution as
| the user running gnuplot when the victim renders the generated plot
| through the gpsprof and gnuplot workflow.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-58459
    https://www.cve.org/CVERecord?id=CVE-2026-58459
[1] https://gitlab.com/gpsd/gpsd/-/work_items/404#note_3534119267
[2] 
https://github.com/ntpsec/gpsd/commit/5581ba196d826a984fbfaf792b7d58535f9911ce
[3] 
https://github.com/ntpsec/gpsd/commit/1a6bb7bcbdf58aa940132e630870af061dc88537
[4] 
https://github.com/ntpsec/gpsd/commit/4c06658e988f4ced1a7a574ce082a22ef625df56

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to