Gpsd
Monthly
Arbitrary shell command execution in gpsd's gpsprof profiling tool (through release-3.27.5) allows an attacker who controls a GPS device's subtype value to run commands as the user rendering the plot. The subtype string - taken from a DEVICES JSON log entry or an NMEA PGRMT sentence - is embedded into a generated gnuplot program's `set title` statement with only double quotes escaped, so backtick payloads execute when the victim renders the plot via the gpsprof/gnuplot workflow. This was reported by VulnCheck; a vendor fix is available (fixed at commit 4c06658), and there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. [CVSS 7.5 HIGH]
gpsd (before commit dc966aa) has a heap buffer overflow in the NMEA2000 satellite view handler (PGN 129540). A malicious satellite count value overwrites the skyview array, enabling code execution on GPS daemon processes. PoC available, patch available.
An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon termination) and possibly execute arbitrary code via a GPS packet with a malformed $GPGGA. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Arbitrary shell command execution in gpsd's gpsprof profiling tool (through release-3.27.5) allows an attacker who controls a GPS device's subtype value to run commands as the user rendering the plot. The subtype string - taken from a DEVICES JSON log entry or an NMEA PGRMT sentence - is embedded into a generated gnuplot program's `set title` statement with only double quotes escaped, so backtick payloads execute when the victim renders the plot via the gpsprof/gnuplot workflow. This was reported by VulnCheck; a vendor fix is available (fixed at commit 4c06658), and there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. [CVSS 7.5 HIGH]
gpsd (before commit dc966aa) has a heap buffer overflow in the NMEA2000 satellite view handler (PGN 129540). A malicious satellite count value overwrites the skyview array, enabling code execution on GPS daemon processes. PoC available, patch available.
An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon termination) and possibly execute arbitrary code via a GPS packet with a malformed $GPGGA. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.