CVE-2018-17937

NameCVE-2018-17937
Descriptiongpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1738-1, DLA-2795-1
Debian Bugs925327

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gpsd (PTS)buster3.17-7fixed
bullseye3.22-4fixed
bookworm3.22-4.1fixed
trixie3.25-2fixed
sid3.25-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gpsdsourceexperimental3.18.1-1
gpsdsourcejessie3.11-3+deb8u1DLA-1738-1
gpsdsourcestretch3.16-4+deb9u1DLA-2795-1
gpsdsource(unstable)3.17-6low925327

Notes

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19

Search for package or bug name: Reporting problems