Debian Package Tracker
Register | Log in
Subscribe

gpsd

Global Positioning System - daemon

Choose email to subscribe with

general
  • source: gpsd (main)
  • version: 3.27.5-0.1
  • maintainer: Boian Bonev (DMD) (DM)
  • arch: any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 3.22-4
  • o-o-sec: 3.22-4+deb11u1
  • oldstable: 3.22-4.1+deb12u1
  • stable: 3.25-5+deb13u1
  • testing: 3.27.5-0.1
  • unstable: 3.27.5-0.1
versioned links
  • 3.22-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.22-4+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.22-4.1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.25-5+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.27.5-0.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • gpsd (17 bugs: 0, 13, 4, 0)
  • gpsd-clients (4 bugs: 0, 3, 1, 0)
  • gpsd-tools (2 bugs: 0, 2, 0, 0)
  • libgps-dev
  • libgps32
  • libqgpsmm-dev
  • libqgpsmm32
  • python3-gps (2 bugs: 0, 2, 0, 0)
action needed
1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:
  • CVE-2026-58459: gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.
Created: 2026-07-10 Last update: 2026-07-10 11:30
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2026-58459: gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.
Created: 2026-07-10 Last update: 2026-07-10 11:30
1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:
  • CVE-2026-58459: gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.
Created: 2026-07-10 Last update: 2026-07-10 11:30
1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:
  • CVE-2026-58459: gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.
Created: 2026-07-10 Last update: 2026-07-10 11:30
1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:
  • CVE-2026-58459: gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.
Created: 2026-07-10 Last update: 2026-07-10 11:30
debian/patches: 1 patch with invalid metadata, 5 patches to forward upstream high

Among the 6 debian patches available in version 3.27.5-0.1 of the package, we noticed the following issues:

  • 1 patch with invalid metadata that ought to be fixed.
  • 5 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-01-20 11:00
AppStream hints: 2 errors and 2 warnings high
AppStream found metadata issues for packages:
  • gpsd-clients: 2 errors and 2 warnings
You should get rid of them to provide more metadata about this software.
Created: 2020-06-01 Last update: 2022-01-21 06:05
2 bugs tagged patch in the BTS normal
The BTS contains patches fixing 2 bugs, consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-12 23:30
Depends on packages which need a new maintainer normal
The packages that gpsd depends on which need a new maintainer are:
  • docbook-xsl (#802370)
    • Build-Depends: docbook-xsl
Created: 2023-09-01 Last update: 2026-07-12 22:49
2 open merge requests in Salsa normal
There are 2 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2026-05-09 Last update: 2026-05-23 11:48
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).
Created: 2025-12-23 Last update: 2026-03-31 15:01
news
[rss feed]
  • [2026-05-02] Accepted gpsd 3.22-4.1+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
  • [2026-03-01] Accepted gpsd 3.25-5+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
  • [2026-01-22] gpsd 3.27.5-0.1 MIGRATED to testing (Debian testing watch)
  • [2026-01-19] Accepted gpsd 3.27.5-0.1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
  • [2026-01-18] Accepted gpsd 3.22-4+deb11u1 (source) into oldoldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
  • [2025-11-29] gpsd 3.27-1.1 MIGRATED to testing (Debian testing watch)
  • [2025-11-27] Accepted gpsd 3.27-1.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
  • [2025-11-26] Accepted gpsd 3.27-1 (source amd64) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
  • [2025-11-19] gpsd 3.26.1-1 MIGRATED to testing (Debian testing watch)
  • [2025-11-16] Accepted gpsd 3.26.1-1 (source amd64) into unstable (Debian FTP Masters) (signed by: Alexandre Detiste)
  • [2025-01-22] gpsd 3.25-5 MIGRATED to testing (Debian testing watch)
  • [2025-01-19] Accepted gpsd 3.25-5 (source) into unstable (Boian Bonev)
  • [2024-05-26] gpsd 3.25-4 MIGRATED to testing (Debian testing watch)
  • [2024-05-23] Accepted gpsd 3.25-4 (source) into unstable (Boian Bonev)
  • [2024-05-03] gpsd 3.25-3 MIGRATED to testing (Debian testing watch)
  • [2024-02-29] Accepted gpsd 3.25-3 (source) into unstable (Boian Bonev)
  • [2024-02-11] Accepted gpsd 3.25-3~exp1 (source) into experimental (Boian Bonev)
  • [2024-02-06] Accepted gpsd 3.25-2.1~exp1 (source) into experimental (Steve Langasek)
  • [2023-09-14] gpsd 3.25-2 MIGRATED to testing (Debian testing watch)
  • [2023-09-11] Accepted gpsd 3.25-2 (source) into unstable (Boian Bonev)
  • [2023-07-01] gpsd 3.25-1 MIGRATED to testing (Debian testing watch)
  • [2023-06-28] Accepted gpsd 3.25-1 (source) into unstable (Boian Bonev)
  • [2023-06-26] Accepted gpsd 3.25-1~exp2 (source) into experimental (Boian Bonev) (signed by: bage@debian.org)
  • [2023-06-13] Accepted gpsd 3.25-1~exp1 (source amd64) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
  • [2022-09-14] gpsd 3.22-4.1 MIGRATED to testing (Debian testing watch)
  • [2022-09-11] Accepted gpsd 3.22-4.1 (source) into unstable (Paul Gevers)
  • [2021-10-28] Accepted gpsd 3.16-4+deb9u1 (source) into oldoldstable (Adrian Bunk)
  • [2021-08-16] Accepted gpsd 3.22-4~bpo10+1 (source amd64) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Bernd Zeimetz)
  • [2021-08-04] gpsd 3.22-4 MIGRATED to testing (Debian testing watch)
  • [2021-08-01] Accepted gpsd 3.22-4 (source) into unstable (Bernd Zeimetz)
  • 1
  • 2
bugs [bug history graph]
  • all: 33 34
  • RC: 0
  • I&N: 27 28
  • M&W: 6
  • F&P: 0
  • patch: 2
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.27.5-0.1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing