Your message dated Mon, 19 Jan 2026 15:41:00 +0000
with message-id <[email protected]>
and subject line Bug#1124800: fixed in gpsd 3.27.5-0.1
has caused the Debian Bug report #1124800,
regarding gpsd: CVE-2025-67268
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124800: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124800
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gpsd
Version: 3.27-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gpsd.
CVE-2025-67268[0]:
| gpsd before commit dc966aa contains a heap-based out-of-bounds write
| vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540
| function, which handles NMEA2000 PGN 129540 (GNSS Satellites in
| View) packets, fails to validate the user-supplied satellite count
| against the size of the skyview array (184 elements). This allows an
| attacker to write beyond the bounds of the array by providing a
| satellite count up to 255, leading to memory corruption, Denial of
| Service (DoS), and potentially arbitrary code execution.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-67268
https://www.cve.org/CVERecord?id=CVE-2025-67268
[1] https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md
[2]
https://gitlab.com/gpsd/gpsd/-/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gpsd
Source-Version: 3.27.5-0.1
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gpsd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated gpsd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Jan 2026 16:47:06 +0100
Source: gpsd
Architecture: source
Version: 3.27.5-0.1
Distribution: unstable
Urgency: medium
Maintainer: Boian Bonev <[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1124799 1124800
Changes:
gpsd (3.27.5-0.1) unstable; urgency=medium
.
* Non-maintainer upload
* New upstream version
* Fix CVE-2025-67268 (Closes: #1124800).
gpsd contains a heap-based out-of-bounds write
vulnerability in the drivers/driver_nmea2000.c file.
The hnd_129540 function, which handles NMEA2000 PGN 129540
(GNSS Satellites in View) packets, fails to validate the
user-supplied satellite count against the size of the skyview
array (184 elements). This allows an attacker to write beyond
the bounds of the array by providing a satellite count up
to 255, leading to memory corruption, Denial of Service (DoS),
and potentially arbitrary code execution.
* Fix CVE-2025-67269 (Closes: #1124799).
An integer underflow vulnerability exists in the `nextstate()`
function in `gpsd/packet.c`.
When parsing a NAVCOM packet, the payload length is calculated
using `lexer->length = (size_t)c - 4` without checking if
the input byte `c` is less than 4. This results in an unsigned
integer underflow, setting `lexer->length` to a very large value
(near `SIZE_MAX`). The parser then enters a loop attempting to
consume this massive number of bytes, causing 100% CPU utilization
and a Denial of Service (DoS) condition.
Checksums-Sha1:
9bc5bda1e4019d3b826719dde48e095878a49afa 3090 gpsd_3.27.5-0.1.dsc
7569973ae01765772fc224b6bbc78b7acc55618e 4083248 gpsd_3.27.5.orig.tar.xz
1a99d63fa03149f0162dadb48b705d5e72753d0f 265 gpsd_3.27.5.orig.tar.xz.asc
bbf72b24d4faa9b25fb471934680b7df2b2a2626 48696 gpsd_3.27.5-0.1.debian.tar.xz
e45aa404e71efbcd6c03ba734c304bbcb3fa3725 10416 gpsd_3.27.5-0.1_source.buildinfo
Checksums-Sha256:
bb55cd91c20a232a024907f47d2036eaf7885082b03c6a0e4a963b06a8082a4f 3090
gpsd_3.27.5-0.1.dsc
dc4a62bad835282bae788772bc7cc8f8bec4c7a48e8dceeb37477a89091c4656 4083248
gpsd_3.27.5.orig.tar.xz
2d2296be81d59b4591707e3e8889abab972558c9d1adfb60ce31ddbd6a728e2c 265
gpsd_3.27.5.orig.tar.xz.asc
20d06a871c056374cdcea3a5de454b27b6c8b357bff561ea525e10e9a4532185 48696
gpsd_3.27.5-0.1.debian.tar.xz
99947428cc7ff4700c1658470c94dfe42cdf9f0a5b4ac897dba187b2513346ca 10416
gpsd_3.27.5-0.1_source.buildinfo
Files:
2d4effcbb4dec141bb15978e2d1aa908 3090 misc optional gpsd_3.27.5-0.1.dsc
6e1eaaa4cee79746cfe7a03e50c5868f 4083248 misc optional gpsd_3.27.5.orig.tar.xz
c6bd7f56abfdbb2e9e07d8192b7a4509 265 misc optional gpsd_3.27.5.orig.tar.xz.asc
224e5babcef06015fac137b5bac85974 48696 misc optional
gpsd_3.27.5-0.1.debian.tar.xz
ccbe76893e63969aa8978ad596a727ed 10416 misc optional
gpsd_3.27.5-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmluH3IACgkQADoaLapB
CF9L2A//VMzFUsc8xbD9ISfskLHcRrCGTfJfgr7d25jl+87OEhV2JB2t4yWtx/51
ByCkP7KwfsXX2cnsddopM9U/35+wRhUpWy4UyOVy5x+KY5Z1vl0bAngx3O9qmZTC
LKTov9Xml/RRAIUqYNsaSE2lJ7hmICao5xxad3DFscJsuIN204TLhNdcuoGPR2/g
o/RbVXMkQ8ihaYhlICfOyzTgobtuBsQwSHyWEml/alhJeH8/x/OmNv+mmBBZBiXd
YvJxlzxNyAE8N+yRTUPcDrWrs9tZ4ivt/zJjBTYt2WHTulXWFx8VxF2OlfNGccVp
Qdawlu1slAoGFzW+Mhe5giswCJ91snn2gV8Jrj9IbmM0EyGXjMmJeVGzhylxwncX
MchOx/vUy1au2GI507cV0IVEx9lp8trZB2Tgyu8Ox6BO8sKeYk6bUIVm65ANAYY5
1HXDLBLCQUhWo9bEqPiLACrv6JRXGaqV7zAdSAxXL0ITQZrm07mPKOLmGJz1GraA
FwL/MBXRH48DrYZQHE/sIOZzP1jGsUS9wNm3SZJsee/cjpdo4yeC2KXZoCESDhgG
Trxzdv783xuNzJnJgR1gQ/30FiRAKlwgBHsIAoJJYIFwba1B0bv13BX9EsMIyQnh
TLPam0kXzRqnVO2ZPI26Gdgxwgl327ZZvv2ww+xTGM+lZLTDx/c=
=Rubn
-----END PGP SIGNATURE-----
pgprtludCkcct.pgp
Description: PGP signature
--- End Message ---
