gpsd: patch CVE-2025-67268

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67268 Pick the patch that is referenced by the NVD advisory. The original commit also contains a lot of commenting style changes (// vs /* */) and whitespace changes which were removed from the backport. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-02 22:13:53 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-02-03 08:07:24 +0530
commit: 4b7fc39111ff016cc6203fbabe3489495b9df6bb (patch)
tree: e4323c163e6dc57569ea72c0e1247bcef1e61b0f
parent: 4d7a1ff88ce82dd1a97106fed36978dea02d7120 (diff)
download: meta-openembedded-4b7fc39111ff016cc6203fbabe3489495b9df6bb.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch
new file mode 100644
index 0000000000..d32e5095e2
--- /dev/null
+++ b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch
@@ -0,0 +1,97 @@
+From 6045f465f3ab253e1075b5b3666fd95ede4fb848 Mon Sep 17 00:00:00 2001
+From: "Gary E. Miller" <gem@rellim.com>
+Date: Tue, 2 Dec 2025 19:36:04 -0800
+Subject: [PATCH] drivers/driver_nmea2000.c: Fix issue 356, skyview buffer
+ overrun.
+CVE: CVE-2025-67268
+Upstream-Status: Backport [https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ drivers/driver_nmea2000.c | 50 ++++++++++++++++++++++++++-------------
+ 1 file changed, 33 insertions(+), 17 deletions(-)
+diff --git a/drivers/driver_nmea2000.c b/drivers/driver_nmea2000.c
+index 71e04e1..6854b2d 100644
+--- a/drivers/driver_nmea2000.c
+++ b/drivers/driver_nmea2000.c
+@@ -89,14 +89,14 @@ static int scale_int(int32_t var, const int64_t factor)
+ static void print_data(struct gps_context_t *context,
+                        unsigned char *buffer, int len, PGN *pgn)
+ {
+-    if ((libgps_debuglevel >= LOG_IO) != 0) {
+-        int   l1, l2, ptr;
+    if (LOG_IO <= libgps_debuglevel) {
+        int   l1;
+         char  bu[128];
+ 
+-        ptr = 0;
+-        l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len);
+        int ptr = 0;
+        int l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len);
+         ptr += l2;
+-        for (l1=0;l1<len;l1++) {
+        for (l1 = 0; l1 < len; l1++) {
+             if (((l1 % 20) == 0) && (l1 != 0)) {
+                 GPSD_LOG(LOG_IO, &context->errout, "%s\n", bu);
+                 ptr = 0;
+@@ -434,6 +434,7 @@ static gps_mask_t hnd_129540(unsigned char *bu, int len, PGN *pgn,
+                              struct gps_device_t *session)
+ {
+     int         l1;
+    int         expected_len;
+ 
+     print_data(session->context, bu, len, pgn);
+     GPSD_LOG(LOG_DATA, &session->context->errout,
+@@ -441,24 +442,39 @@ static gps_mask_t hnd_129540(unsigned char *bu, int len, PGN *pgn,
+ 
+     session->driver.nmea2000.sid[2]           = bu[0];
+     session->gpsdata.satellites_visible       = (int)bu[2];
+    if (MAXCHANNELS <= session->gpsdata.satellites_visible) {
+        // Handle a CVE for overrunning skyview[]
+        GPSD_LOG(LOG_WARN, &session->context->errout,
+                 "pgn %6d(%3d): Too many sats %d\n",
+                 pgn->pgn, session->driver.nmea2000.unit,
+                 session->gpsdata.satellites_visible);
+        session->gpsdata.satellites_visible = MAXCHANNELS;
+    }
+    expected_len = 3 + (12 * session->gpsdata.satellites_visible);
+    if (len != expected_len) {
+        GPSD_LOG(LOG_WARN, &session->context->errout,
+                 "pgn %6d(%3d): wrong  length %d s/b %d\n",
+                 pgn->pgn, session->driver.nmea2000.unit,
+                 len, expected_len);
+        return 0;
+    }
+ 
+     memset(session->gpsdata.skyview, '\0', sizeof(session->gpsdata.skyview));
+-    for (l1=0;l1<session->gpsdata.satellites_visible;l1++) {
+-        int    svt;
+-        double azi, elev, snr;
+-
+-        elev  = getles16(bu, 3+12*l1+1) * 1e-4 * RAD_2_DEG;
+-        azi   = getleu16(bu, 3+12*l1+3) * 1e-4 * RAD_2_DEG;
+-        snr   = getles16(bu, 3+12*l1+5) * 1e-2;
+    for (l1 = 0; l1 < session->gpsdata.satellites_visible; l1++) {
+        int offset = 3 + (12 * l1);
+        double elev  = getles16(bu, offset + 1) * 1e-4 * RAD_2_DEG;
+        double azi   = getleu16(bu, offset + 3) * 1e-4 * RAD_2_DEG;
+        double snr   = getles16(bu, offset + 5) * 1e-2;
+ 
+-        svt   = (int)(bu[3+12*l1+11] & 0x0f);
+        int svt   = (int)(bu[offset + 11] & 0x0f);
+ 
+-        session->gpsdata.skyview[l1].elevation  = (short) (round(elev));
+-        session->gpsdata.skyview[l1].azimuth    = (short) (round(azi));
+        session->gpsdata.skyview[l1].elevation  = elev;
+        session->gpsdata.skyview[l1].azimuth    = azi;
+         session->gpsdata.skyview[l1].ss         = snr;
+-        session->gpsdata.skyview[l1].PRN        = (short)bu[3+12*l1+0];
+        session->gpsdata.skyview[l1].PRN        = (int16_t)bu[offset];
+         session->gpsdata.skyview[l1].used = false;
+-        if ((svt == 2) || (svt == 5)) {
+        if ((2 == svt) ||
+            (5 == svt)) {
+             session->gpsdata.skyview[l1].used = true;
+         }
+     }
diff --git a/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb b/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb
index e4a571daa6..6462d7b6f2 100644
--- a/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb
+++ b/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb
@@ -9,6 +9,7 @@ HOMEPAGE = "https://gpsd.io/"
 SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \
           file://gpsd.init \
+           file://CVE-2025-67268.patch \
           "
 SRC_URI[sha256sum] = "dc7e465968c1540e61bc57c7586d6a57a0047212a014efdad348f907bc2e0990"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-02 22:13:53 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-03 08:07:24 +0530
commit	4b7fc39111ff016cc6203fbabe3489495b9df6bb (patch)
tree	e4323c163e6dc57569ea72c0e1247bcef1e61b0f
parent	4d7a1ff88ce82dd1a97106fed36978dea02d7120 (diff)
download	meta-openembedded-4b7fc39111ff016cc6203fbabe3489495b9df6bb.tar.gz

diff --git a/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch new file mode 100644 index 0000000000..d32e5095e2 --- /dev/null +++ b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch
@@ -0,0 +1,97 @@
		1	From 6045f465f3ab253e1075b5b3666fd95ede4fb848 Mon Sep 17 00:00:00 2001
		2	From: "Gary E. Miller" <gem@rellim.com>
		3	Date: Tue, 2 Dec 2025 19:36:04 -0800
		4	Subject: [PATCH] drivers/driver_nmea2000.c: Fix issue 356, skyview buffer
		5	overrun.
		6
		7	CVE: CVE-2025-67268
		8	Upstream-Status: Backport [https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4]
		9	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		10	---
		11	drivers/driver_nmea2000.c \| 50 ++++++++++++++++++++++++++-------------
		12	1 file changed, 33 insertions(+), 17 deletions(-)
		13
		14	diff --git a/drivers/driver_nmea2000.c b/drivers/driver_nmea2000.c
		15	index 71e04e1..6854b2d 100644
		16	--- a/drivers/driver_nmea2000.c
		17	+++ b/drivers/driver_nmea2000.c
		18	@@ -89,14 +89,14 @@ static int scale_int(int32_t var, const int64_t factor)
		19	static void print_data(struct gps_context_t *context,
		20	unsigned char buffer, int len, PGN pgn)
		21	{
		22	- if ((libgps_debuglevel >= LOG_IO) != 0) {
		23	- int l1, l2, ptr;
		24	+ if (LOG_IO <= libgps_debuglevel) {
		25	+ int l1;
		26	char bu[128];
		27
		28	- ptr = 0;
		29	- l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len);
		30	+ int ptr = 0;
		31	+ int l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len);
		32	ptr += l2;
		33	- for (l1=0;l1<len;l1++) {
		34	+ for (l1 = 0; l1 < len; l1++) {
		35	if (((l1 % 20) == 0) && (l1 != 0)) {
		36	GPSD_LOG(LOG_IO, &context->errout, "%s\n", bu);
		37	ptr = 0;
		38	@@ -434,6 +434,7 @@ static gps_mask_t hnd_129540(unsigned char bu, int len, PGN pgn,
		39	struct gps_device_t *session)
		40	{
		41	int l1;
		42	+ int expected_len;
		43
		44	print_data(session->context, bu, len, pgn);
		45	GPSD_LOG(LOG_DATA, &session->context->errout,
		46	@@ -441,24 +442,39 @@ static gps_mask_t hnd_129540(unsigned char bu, int len, PGN pgn,
		47
		48	session->driver.nmea2000.sid[2] = bu[0];
		49	session->gpsdata.satellites_visible = (int)bu[2];
		50	+ if (MAXCHANNELS <= session->gpsdata.satellites_visible) {
		51	+ // Handle a CVE for overrunning skyview[]
		52	+ GPSD_LOG(LOG_WARN, &session->context->errout,
		53	+ "pgn %6d(%3d): Too many sats %d\n",
		54	+ pgn->pgn, session->driver.nmea2000.unit,
		55	+ session->gpsdata.satellites_visible);
		56	+ session->gpsdata.satellites_visible = MAXCHANNELS;
		57	+ }
		58	+ expected_len = 3 + (12 * session->gpsdata.satellites_visible);
		59	+ if (len != expected_len) {
		60	+ GPSD_LOG(LOG_WARN, &session->context->errout,
		61	+ "pgn %6d(%3d): wrong length %d s/b %d\n",
		62	+ pgn->pgn, session->driver.nmea2000.unit,
		63	+ len, expected_len);
		64	+ return 0;
		65	+ }
		66
		67	memset(session->gpsdata.skyview, '\0', sizeof(session->gpsdata.skyview));
		68	- for (l1=0;l1<session->gpsdata.satellites_visible;l1++) {
		69	- int svt;
		70	- double azi, elev, snr;
		71	-
		72	- elev = getles16(bu, 3+12l1+1) 1e-4 * RAD_2_DEG;
		73	- azi = getleu16(bu, 3+12l1+3) 1e-4 * RAD_2_DEG;
		74	- snr = getles16(bu, 3+12l1+5) 1e-2;
		75	+ for (l1 = 0; l1 < session->gpsdata.satellites_visible; l1++) {
		76	+ int offset = 3 + (12 * l1);
		77	+ double elev = getles16(bu, offset + 1) * 1e-4 * RAD_2_DEG;
		78	+ double azi = getleu16(bu, offset + 3) * 1e-4 * RAD_2_DEG;
		79	+ double snr = getles16(bu, offset + 5) * 1e-2;
		80
		81	- svt = (int)(bu[3+12*l1+11] & 0x0f);
		82	+ int svt = (int)(bu[offset + 11] & 0x0f);
		83
		84	- session->gpsdata.skyview[l1].elevation = (short) (round(elev));
		85	- session->gpsdata.skyview[l1].azimuth = (short) (round(azi));
		86	+ session->gpsdata.skyview[l1].elevation = elev;
		87	+ session->gpsdata.skyview[l1].azimuth = azi;
		88	session->gpsdata.skyview[l1].ss = snr;
		89	- session->gpsdata.skyview[l1].PRN = (short)bu[3+12*l1+0];
		90	+ session->gpsdata.skyview[l1].PRN = (int16_t)bu[offset];
		91	session->gpsdata.skyview[l1].used = false;
		92	- if ((svt == 2) \|\| (svt == 5)) {
		93	+ if ((2 == svt) \|\|
		94	+ (5 == svt)) {
		95	session->gpsdata.skyview[l1].used = true;
		96	}
		97	}


diff --git a/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb b/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb index e4a571daa6..6462d7b6f2 100644 --- a/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb +++ b/meta-oe/recipes-navigation/gpsd/gpsd_3.26.1.bb
@@ -9,6 +9,7 @@ HOMEPAGE = "https://gpsd.io/"
9		9
10	SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \	10	SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \
11	file://gpsd.init \	11	file://gpsd.init \
		12	file://CVE-2025-67268.patch \
12	"	13	"
13	SRC_URI[sha256sum] = "dc7e465968c1540e61bc57c7586d6a57a0047212a014efdad348f907bc2e0990"	14	SRC_URI[sha256sum] = "dc7e465968c1540e61bc57c7586d6a57a0047212a014efdad348f907bc2e0990"
14		15