Bug#1126168: bookworm-pu: package gpsd/3.22-4.1+deb12u1

2026-04-03 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

Hi,

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  [email protected]
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1126168: bookworm-pu: package gpsd/3.22-4.1+deb12u1

2026-01-22 Thread Bastien Roucaries 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:gpsd
User: [email protected]
Usertags: pu

[ Reason ]
CVE-2025-67268
CVE-2025-67269

[ Impact ]
CVE are not fixed

[ Tests ]
Automated during build


[ Risks ]
Low

[ Checklist ]
  X ] *all* changes are documented in the d/changelog
  X ] I reviewed all changes and I approve them
  X ] attach debdiff against the package in (old)stable
  X ] the issue is verified as fixed in unstable

[ Changes ]
CVE patches and salsaCI fix including a patch removing a systematic rebuild of
all rdeps (superseded and considered bad for salsa)

[ Other info ]
diff -Nru gpsd-3.22/debian/.gitlab-ci.yml gpsd-3.22/debian/.gitlab-ci.yml
--- gpsd-3.22/debian/.gitlab-ci.yml 2022-09-11 14:45:05.0 +
+++ gpsd-3.22/debian/.gitlab-ci.yml 2026-01-18 11:45:58.0 +
@@ -1,10 +1,9 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
- - https://bzed.pages.debian.net/reverse-dependency-ci/gpsd.yml
 
 variables:
- RELEASE: 'unstable'
+ RELEASE: 'bookworm'
  SALSA_CI_DISABLE_APTLY: 0
  SALSA_CI_DISABLE_AUTOPKGTEST: 0
  SALSA_CI_DISABLE_BLHC: 0
@@ -13,5 +12,3 @@
  SALSA_CI_DISABLE_REPROTEST: 1
  SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0
  SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0
- SALSA_CI_ENABLE_REVERSE_DEPENDENCY_BUILD: 1
-
diff -Nru gpsd-3.22/debian/changelog gpsd-3.22/debian/changelog
--- gpsd-3.22/debian/changelog  2022-09-11 14:45:05.0 +
+++ gpsd-3.22/debian/changelog  2026-01-18 11:45:58.0 +
@@ -1,3 +1,30 @@
+gpsd (3.22-4.1+deb12u1) bookworm; urgency=medium
+
+  * Non-Maintainer Upload by LTS team
+  * Remove BD: makedev, breaks debusine
+  * Fix CVE-2025-67268 (Closes: #1124800).
+gpsd contains a heap-based out-of-bounds write
+vulnerability in the drivers/driver_nmea2000.c file.
+The hnd_129540 function, which handles NMEA2000 PGN 129540
+(GNSS Satellites in View) packets, fails to validate the
+user-supplied satellite count against the size of the skyview
+array (184 elements). This allows an attacker to write beyond
+the bounds of the array by providing a satellite count up
+to 255, leading to memory corruption, Denial of Service (DoS),
+and potentially arbitrary code execution.
+  * Fix CVE-2025-67269 (Closes: #1124799).
+An integer underflow vulnerability exists in the `nextstate()`
+function in `gpsd/packet.c`.
+When parsing a NAVCOM packet, the payload length is calculated
+using `lexer->length = (size_t)c - 4` without checking if
+the input byte `c` is less than 4. This results in an unsigned
+integer underflow, setting `lexer->length` to a very large value
+(near `SIZE_MAX`). The parser then enters a loop attempting to
+consume this massive number of bytes, causing 100% CPU utilization
+and a Denial of Service (DoS) condition.
+
+ -- Bastien Roucariès   Sun, 18 Jan 2026 12:45:58 +0100
+
 gpsd (3.22-4.1) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru gpsd-3.22/debian/control gpsd-3.22/debian/control
--- gpsd-3.22/debian/control2022-09-11 14:45:05.0 +
+++ gpsd-3.22/debian/control2026-01-18 11:45:58.0 +
@@ -10,7 +10,7 @@
  xsltproc, docbook-xsl, docbook-xml,
  libncurses-dev,
  libusb-1.0-0-dev,
- libdbus-1-dev, libglib2.0-dev, libdbus-glib-1-dev, makedev,
+ libdbus-1-dev, libglib2.0-dev, libdbus-glib-1-dev,
  libbluetooth-dev [linux-any],
  python3-matplotlib, python3-gps, python3-gi, python3-cairo, gir1.2-gtk-3.0, 
python3-serial, python3-gi-cairo,
  qtbase5-dev,
diff -Nru gpsd-3.22/debian/patches/CVE-2025-67268.patch 
gpsd-3.22/debian/patches/CVE-2025-67268.patch
--- gpsd-3.22/debian/patches/CVE-2025-67268.patch   1970-01-01 
00:00:00.0 +
+++ gpsd-3.22/debian/patches/CVE-2025-67268.patch   2026-01-18 
11:45:58.0 +
@@ -0,0 +1,374 @@
+From: "Gary E. Miller" 
+Date: Sat, 17 Jan 2026 17:43:51 +0100
+Subject: [PATCH] drivers/driver_nmea2000.c: Fix issue 356,
+ skyview buffer  overrun.
+
+origin: 
https://gitlab.com/gpsd/gpsd/-/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4
+debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124800
+---
+ drivers/driver_nmea2000.c | 123 ++
+ 1 file changed, 71 insertions(+), 52 deletions(-)
+
+diff --git a/drivers/driver_nmea2000.c b/drivers/driver_nmea2000.c
+index c97287f..35ba163 100644
+--- a/drivers/driver_nmea2000.c
 b/drivers/driver_nmea2000.c
+@@ -12,11 +12,11 @@
+  * Message contents can be had from canboat/analyzer:
+  * analyzer -explain
+  *
+- * This file is Copyright 2012 by the GPSD project
++ * This file is Copyright by the GPSD project
+  * SPDX-License-Identifier: BSD-2-clause
+  */
+ 
+-#include "../include/gpsd_config.h"  /* must be before all includes */
++#incl