On Thu, Aug 29, 2019 at 12:20:28AM +0200, Agustin Martin wrote: > On Mon, Aug 19, 2019 at 04:33:40PM -0400, Kevin Atkinson wrote: > > On Mon, 19 Aug 2019, Salvatore Bonaccorso wrote: > > > > > See > > > https://lists.gnu.org/archive/html/aspell-announce/2019-08/msg00000.html > > > > > Within Debian the "pumpa" will need an update. Others might be > > > required as well. Kevin Atkinson might be up for help if needed. > > Also see http://aspell.net/buffer-overread-ucs.txt for a slightly improved > > version of the announcement that I edited for clarity. > > Hi all, > > This message is sent to all packages that depend in some way on > libaspell15 (pdo addresses bcc'ed) > > A potentially unbounded buffer over-read has been found in in GNU > Aspell 0.60.*. Package aspell 0.60.7-1 has been uploaded to Debian > experimental, including upstream patch to deal with this problem. > > Unfortunately this fix may break applications that use null-terminated > UCS-2 or UCS-4 strings with the C API. These applications will need > to be fixed to make use of the new more secure API in order to > continue to have a functional spell checker.
This is the list of non aspell packages depending on libaspell15 which are possibly affected (maintainers bcc'ed), eiskaltdcpp-qt enchant gnustep-gui-runtime inkscape kdelibs5-plugins libenchant1c2a libenchant2 libenchant-voikko librcc0 libtext-aspell-perl mcabber php7.3-pspell pumpa raspell sonnet-plugins tea weechat-plugins xmlcopyeditor yagf -- Agustin