Hi, That report states that the bug affects 3.25.1~dev. There is no such gpsd release.
I did check with upstream - that is a development git tree. And the problem is already fixed and will not affect the next gpsd version (supposedly 3.26) 3.25-2 in Debian is also not affected. I'd suggest closing this bug. With best regards, b. On Wed, 2023-12-06 at 22:56 +0100, Salvatore Bonaccorso wrote: > Source: gpsd > Version: 3.25-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for gpsd. > > CVE-2023-43628[0]: > > An integer underflow vulnerability exists in the NTRIP Stream > > Parsing functionality of GPSd 3.25.1~dev. A specially crafted > > network packet can lead to memory corruption. An attacker can send a > > malicious packet to trigger this vulnerability. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-43628 > https://www.cve.org/CVERecord?id=CVE-2023-43628 > [1] https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > > -- System Information: > Debian Release: trixie/sid > APT prefers unstable > APT policy: (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 6.6-amd64 (SMP w/8 CPU threads; PREEMPT) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled
