gpsd (3.27.5-0.1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/debian-gps-team/pkg-gpsd.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 8691712
- Browser: https://salsa.debian.org/debian-gps-team/pkg-gpsd/
- Last scan: 2026-03-09 12:46:08+00
- Next scan: 2026-03-17 02:41:00+00
- CI pipeline status: failed
- Debian changelog in Git:
gpsd (3.27.5-0.1) unstable; urgency=medium
* Non-maintainer upload
* New upstream version
* Fix CVE-2025-67268 (Closes: #1124800).
gpsd contains a heap-based out-of-bounds write
vulnerability in the drivers/driver_nmea2000.c file.
The hnd_129540 function, which handles NMEA2000 PGN 129540
(GNSS Satellites in View) packets, fails to validate the
user-supplied satellite count against the size of the skyview
array (184 elements). This allows an attacker to write beyond
the bounds of the array by providing a satellite count up
to 255, leading to memory corruption, Denial of Service (DoS),
and potentially arbitrary code execution.
* Fix CVE-2025-67269 (Closes: #1124799).
An integer underflow vulnerability exists in the `nextstate()`
function in `gpsd/packet.c`.
When parsing a NAVCOM packet, the payload length is calculated
using `lexer->length = (size_t)c - 4` without checking if
the input byte `c` is less than 4. This results in an unsigned
integer underflow, setting `lexer->length` to a very large value
(near `SIZE_MAX`). The parser then enters a loop attempting to
consume this massive number of bytes, causing 100% CPU utilization
and a Denial of Service (DoS) condition.
-- Bastien Roucariès <rouca@debian.org> Sat, 17 Jan 2026 16:47:06 +0100
- This branch is even with tag debian/3.27.5-0.1
