On Fri, Feb 22, 2019 at 01:59:49PM -0800, Ben Pfaff wrote:
> On Fri, Feb 22, 2019 at 10:57:20PM +0100, Moritz Mühlenhoff wrote:
> > On Wed, Dec 19, 2018 at 10:07:59PM -0800, Ben Pfaff wrote:
> > > On Thu, Dec 20, 2018 at 06:22:14AM +0100, Salvatore Bonaccorso wrote:
> > > > Source: pspp
> > > > Version: 1.2.0-2
> > > > Severity: important
> > > > Tags: security upstream
> > > >
> > > > Hi,
> > > >
> > > > The following vulnerability was published for pspp.
> > > >
> > > > CVE-2018-20230[0]:
> > > > | An issue was discovered in PSPP 1.2.0. There is a heap-based buffer
> > > > | overflow at the function read_bytes_internal in
> > > > | utilities/pspp-dump-sav.c, which allows attackers to cause a denial of
> > > > | service (application crash) or possibly have unspecified other impact.
> > >
> > > This is another instance of a recurring problem with PSPP, in which some
> > > anonymous person reports a vulnerability to MITRE, but not to the
> > > upstream authors or the pspp-security list, and so the authors only hear
> > > about it when Red Hat and Debian file bugs based on it. It makes me
> > > really mad.
> >
> > Regardless of the questionable reporting done here, do you know if this
> > bug has been addressed/reported upstream?
>
> Yes, I fixed it upstream with commit abd1f816ca3b ("pspp-dump-sav: Issue
> error message for too-large extension records.") on January 1.
Friedrich,
given that buster is now frozen, could you please cherrypick abd1f816ca3b
into a 1.2.0-3 upload and ask the release team for an unblock?
Cheers,
Moritz
