CVE-2018-17937

NameCVE-2018-17937
Descriptiongpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1738-1, DLA-2795-1
NVD severitymedium
Debian Bugs925327

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gpsd (PTS)stretch3.16-4vulnerable
stretch (security)3.16-4+deb9u1fixed
buster3.17-7fixed
bookworm, sid, bullseye3.22-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gpsdsourceexperimental3.18.1-1
gpsdsourcejessie3.11-3+deb8u1DLA-1738-1
gpsdsourcestretch3.16-4+deb9u1DLA-2795-1
gpsdsource(unstable)3.17-6low925327

Notes

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19

Search for package or bug name: Reporting problems