| Package | gpsd |
|---|---|
| Version | 3.17-7+deb10u1 (buster) |
| Related CVEs | CVE-2025-67268 CVE-2025-67269 |
Multiple vulnerabilities were found in gpsd, a service daemon that monitors Global Navigation Satellite System (GNSS) receivers attached to a host computer through serial or USB ports.
CVE-2025-67268
gpsd contains a heap-based out-of-bounds write
vulnerability in the drivers/driver_nmea2000.c file.
The hnd_129540 function, which handles NMEA2000 PGN 129540
(GNSS Satellites in View) packets, fails to validate the
user-supplied satellite count against the size of the skyview
array (184 elements). This allows an attacker to write beyond
the bounds of the array by providing a satellite count up
to 255, leading to memory corruption, Denial of Service (DoS),
and potentially arbitrary code execution.
CVE-2025-67269
An integer underflow vulnerability exists in the `nextstate()`
function in `gpsd/packet.c`.
When parsing a NAVCOM packet, the payload length is calculated
using `lexer->length = (size_t)c - 4` without checking if
the input byte `c` is less than 4. This results in an unsigned
integer underflow, setting `lexer->length` to a very large value
(near `SIZE_MAX`). The parser then enters a loop attempting to
consume this massive number of bytes, causing 100% CPU utilization
and a Denial of Service (DoS) condition.
For Debian 10 buster, these problems have been fixed in version 3.17-7+deb10u1.
We recommend that you upgrade your gpsd packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.