Mageia alert MGASA-2026-0028 (gpsd)
| From: | Mageia Updates <updates-announce@ml.mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2026-0028: Updated gpsd packages fix security vulnerabilities | |
| Date: | Fri, 30 Jan 2026 01:40:16 +0100 | |
| Message-ID: | <20260130004016.EBD00A0DE2@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2026-0028 - Updated gpsd packages fix security vulnerabilities Publication date: 30 Jan 2026 URL: https://advisories.mageia.org/MGASA-2026-0028.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-67268, CVE-2025-67269 Description: gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. (CVE-2025-67268) An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. (CVE-2025-67269) References: - https://bugs.mageia.org/show_bug.cgi?id=34959 - https://ubuntu.com/security/notices/USN-7948-1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6... SRPMS: - 9/core/gpsd-3.25-1.1.mga9