gpsd-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2023-43628?


From: Gary E. Miller
Subject: Re: CVE-2023-43628?
Date: Mon, 11 Dec 2023 11:48:43 -0800

Yo Miroslav!

On Mon, 11 Dec 2023 12:46:25 +0100
Miroslav Lichvar <mlichvar@redhat.com> wrote:

> There is a report of a security vulnerability in gpsd:
> 
> https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860

Sadly, yes.

> The report says 3.25.1~dev.

It originally said 3.25.1, at least I got that fixed.

> I don't see a 3.25.1 release and the 3.25
> code seems very different.

Yes.  This CVE is to recently added code for a new eature (HTTP
chunking of NTRIP v2).  To "explout" this you need to configure
gpsd to contact a hostile NTRIP server.  And then you get a
crash.  It needed to be  fixed before release, and it was nice
of them to report it clearly, but ding gpsd with a CVE is just
causing FUD.

I expect out usual prerelease process (Codacy, Coverity, etc.) would
have caught this if it has persisted that long.

> Does anyone know why a CVE was assigned for
> this?

I'm sure someone does, but none of us.  I objected, but that
never does any good.

> If this doesn't impact an actual release, could you please
> dispute it with MITRE?

Talos is Cisco, not Mitre.  Cisco has always done what Cisco wants to

This sort of thing is whey I am confused by the !CVE projejct.  They
complain that mainters are refusing CVE on real bugs.  I've never seen
anyone be able to stop a CVE.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        gem@rellim.com  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin

Attachment: pgprw0Vdp5Hwe.pgp
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]