On Wed, Feb 27, 2019 at 10:31:58PM +0100, Salvatore Bonaccorso wrote:
> Source: pspp
> Version: 1.2.0-2
> Severity: normal
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for pspp.
>
> CVE-2019-9211[0]:
> | There is a reachable assertion abort in the function
> | write_long_string_missing_values() in data/sys-file-writer.c in
> | libdata.a in GNU PSPP 1.2.0 that will lead to denial of service.
I fixed this on PSPP master with commit 0b842a843537 ("sys-file-writer:
Remove assertions based on file position.").
As has become usual, this bug was reported to Debian and Red Hat and
MITRE and never to me, the upstream author. If you know any way to
de-anonymize whoever is actually finding these bugs, I'd appreciate it.
Whoever it is deserves education.