If your apps or gadgets break down on Sunday, this may be why: Gpsd bug to roll back clocks to 2002

Alternative headline: Yet another widely used project maintained thanklessly by 'some random person in Nebraska'


Come Sunday, October 24, 2021, those using applications that rely on gpsd for handling time data may find that they're living 1,024 weeks – 19.6 years – in the past.

A bug in gpsd that rolls clocks back to March, 2002, is set to strike this coming weekend.

The programming blunder was identified on July 24, 2021, and the errant code commit, written two years ago, has since been fixed. Now it's just a matter of making sure that every application and device deploying gpsd has applied the patch.

The Network Time Protocol (NTP) provides a way for devices and services to keep accurate time using a hierarchical set of servers rated in terms of precision, with "stratum 0" representing the most accurate time sources.

Gpsd is a service daemon that translates data from Global Positioning System (GPS), Global Navigation Satellite System (GNSS), and Automatic Identification System (AIS) transmission sources into a common format that's suitable for client applications. It's used to provide clock information to ntpd, the NTP daemon used by operating systems, to sync a device's system clock to time provided by a GPS/GNSS/AIS receiver – GPS satellites rely on multiple atomic clocks so their time data is highly accurate.

Gpsd is widely used. It's implemented in applications like Kismet, GpsDrive, gpeGPS, roadmap, roadnav, navit, viking, tangogps, foxtrot, obdgpslogger, geohist, LiveGPS, geoclue, qlandkartegt, gpredict, OpenCPN, gpsd-navigator, gpsd-ais-viewer, and Firefox.

It's available in Android, Linux, macOS, and other Unix-like operating systems. The gpsd website says the software shows up in mobile embedded systems like UAVs, robot submarines, driverless cars, and in applications used in marine navigation and military IFF (Identification Friend or Foe) systems.

GPS satellites keep track of the number of weeks that have passed since January 5, 1980. And they broadcast the week number as a 10-bit unsigned integer, which can represent values from 0 to 1023. So every 1024 weeks, or 19.6 years, the system rolls over.

The first time this happened was at the end of Saturday, August 21, 1999; the second time was at the end of Saturday, April 6, 2019. The third GPS week rollover is not scheduled to occur until Saturday, November 20, 2038, but the bug in gpsd – related to an integrity check routine in anticipation of a future leap second – will reset the GPS week number as that Saturday concludes and Sunday begins.

Gary Miller, maintainer of gpsd, acknowledged making the error, a simple miscalculation. The bug was introduced at the end of 2019 and is present in versions 3.20, 3.21 and 3.22. The latest official release with the fix is 3.23.1, from September 9, 2021.

Maintainers of various Linux distros, concerned that the bug could result in "the real Y2K panic event," have applied the patch. Debian and Ubuntu have issued the fix.

Zero to 100

The patch has been backported by Debian to their 3.22 series, Miller told The Register in an email.

Asked to estimate the likelihood that things will go awry has a result of people not patching this bug, Miller said, "Depending on what GPS/GNSS receiver is in use, and how it is configured, the chance is either 0 per cent or 100 per cent. Devices configured to output 'Standard' NMEA, will not be affected. Devices, like those from u-blox, running in binary message mode, will be affected."

Miller, who is retired, told The Register in a phone conversation that he maintains gpsd because it's more interesting than playing Sudoku. Nonetheless, he'd welcome support for the project, particularly GPS equipment that he could use for testing.

"Some random guy, who refuses to out himself, used his company GPS simulator to find this bug a few months ago," he said. "I sure wish I had some equipment like that. But most GNSS manufacturers just ignore gpsd. Even when we find bugs in their stuff."

Miller, who asked that GPS kit maker Meinberg be recognized for its support for gpsd, said he's not sure who is actually using the software he maintains. "I know for a fact that a lot of military stuff uses it," he said, pointing to "man-portable" or "manpack" radios. "I know it's in at least one rocket system. I'm told it's in tanks and delivery trucks and divers' watches."

I know for a fact that a lot of military stuff uses it

But determining which of these systems, if any, will suffer adverse effects is difficult. Older versions of the software, 3.19 and earlier, should be okay because they preceded the offending commit. So manufacturers who have not updated their software in years may emerge unscathed.

"The people who are going to be potentially blind-sided are the people who throw up a GPS network time protocol client and look at it every two years – which is a lot," said Miller. "I don't know how big ... I suspect we'll find versions of NTP appliances that got updated two years ago and they all fall flat on the 24th."

Miller suggested financial firms might also run into compliance problems. By law, he said, every market transaction has to be accurately time stamped. If somebody bought the wrong GPS NTP time server and put it in their brokerage house, it could get ugly, he said.

"There will be issues," said Miller. "A few people will be blindsided, and a few of them will take it out on me and it's my mistake."

XKCD cartoon on software dependencies. Used with permission

Life imitates art ... Source: Randall Munroe/XKCD. Used with permission

In his email, Miller included a link to an XKCD comic from last year that's widely known among software developers. It depicts a complex tower of blocks, representing "All modern digital infrastructure," propped up by a fragile column labelled, "A project some random person in Nebraska has been thanklessly maintaining since 2003."

"Well, I'm the guy from Nebraska," said Miller. "Omaha to be precise." ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021