Hi, On 3/30/19 8:32 AM, Salvatore Bonaccorso wrote: > Hi Bernd, > > On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote: >> Hi Salvatore, >> >>> The following vulnerability was published for gpsd, not competely sure >>> on severity and on if the referenced upstream commit is enough. >>> Ideally though the fix seems ideal to go to buster. >> >> I've tried to get more information out of Upstream, but did not get a >> reply yet. So I'll prepare an upload with the mentioned commit. Looking >> trough the commit logs from gpsd it seems to be the only relevant one. > > Ack thank you for investigating, I was neither more successfull to > determine if that's enough. > > Cc;ing the security team alias, if anyone has more ideas.
So I'd go with https://github.com/bzed/pkg-gpsd/blob/buster/debian/patches/json-cve-fix which contains all changes to json.c/.h up to a399e85c1201400e281f2c1dc29dde21c29b0088 from the upstream repository. Later changes are not relevant here. Any objections? Bernd -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
