Bug 1679311 (CVE-2018-17937)

Summary: CVE-2018-17937 gpsd: Stack-based buffer overflow
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mlichvar, nsl, TicoTimo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:25:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pedro Sampaio 2019-02-20 21:01:39 UTC 
A stack-based buffer overflow flaw was found in gpsd versions 2.90 to 3.17. Successful exploitation of this vulnerability could allow remote code execution, data exfiltration, or denial-of service via device crash.

Upstream patch:

https://git.savannah.gnu.org/cgit/gpsd.git/commit/json.c?id=7646cbd04055a50b157312ba6b376e88bd398c19

References:

https://ics-cert.us-cert.gov/advisories/ICSA-18-310-01
Comment 1 Fedora Update System 2019-03-06 06:57:55 UTC 
gpsd-3.17-6.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 2 Nicholas Luedtke 2019-03-06 12:18:08 UTC 
This was assigned CVE-2018-17937.
Comment 3 Fedora Update System 2019-03-06 15:28:01 UTC 
gpsd-3.17-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.