Hello community,

here is the log from the commit of package pspp for openSUSE:Factory checked in 
at 2017-08-10 14:04:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pspp (Old)
 and      /work/SRC/openSUSE:Factory/.pspp.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pspp"

Thu Aug 10 14:04:33 2017 rev:5 rq:513105 version:0.10.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/pspp/pspp.changes        2017-02-07 
12:08:31.130741743 +0100
+++ /work/SRC/openSUSE:Factory/.pspp.new/pspp.changes   2017-08-10 
14:12:50.362234030 +0200
@@ -1,0 +2,8 @@
+Sat Jul 29 19:17:10 UTC 2017 - opensuse.lietuviu.ka...@gmail.com
+
+- Add pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch
+  to fix NULL Pointer dereference in ll_insert (bnc#1046997, CVE-2017-10792).
+- Add pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch 
+  to fix  Integer overflow in the hash_int library (bnc#1046998, 
CVE-2017-10791).
+
+-------------------------------------------------------------------

New:
----
  pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch
  pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pspp.spec ++++++
--- /var/tmp/diff_new_pack.nXc5vP/_old  2017-08-10 14:12:51.434083113 +0200
+++ /var/tmp/diff_new_pack.nXc5vP/_new  2017-08-10 14:12:51.442081987 +0200
@@ -2,7 +2,7 @@
 
 # Copyright (c) 2008 Matj Cepl <mc...@redhat.com>
 # Copyright (c) 2008 D. Steuer <ste...@hsuhh.de>
-# Copyright (c) 2010-2015 embar <em...@super.lt>
+# Copyright (c) 2010-2017 <opensuse.lietuviu.ka...@gmail.com>
 
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -14,7 +14,7 @@
 # published by the Open Source Initiative.
 
 # Usable with currently supported openSUSE releases
-# 13.2, 42.1
+# 13.2, 42.1, 42.2, 42.3
 
 # Variable gitversion is part of build name, for example, gitversion of 
0.7.6-g08d746 is g08d746
 # it help to build from git
@@ -36,6 +36,10 @@
 URL:            http://www.gnu.org/software/pspp/
 Source0:        ftp://ftp.gnu.org/pub/gnu/pspp/pspp-0.10.2.tar.gz
 #ftp://ftp.gnu.org/pub/gnu/pspp/pspp-{version}.tar.gz
+# PATCH-FIX-UPSTREAM 
pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch 
bnc#1046997 CVE-2017-10792
+Patch1:         
pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch
+# PATCH-FIX-UPSTREAM 
pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch 
bnc#1046998 CVE-2017-10791
+Patch2:         
pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch
 
 BuildRoot:      %{_tmppath}/pspp-root
 %if 0%{?centos_version} 
@@ -126,6 +130,8 @@
 %else
 %setup -n pspp-%{version}
 %endif
+%patch1 -p1
+%patch2 -p1
 
 %if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_version} || 
0%{?mandriva_version}
 %build 

++++++ pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch 
++++++
From: Ben Pfaff <b...@cs.stanford.edu>
Date: Tue, 4 Jul 2017 12:54:47 -0400
Subject: [PATCH] sys-file-reader: Avoid null dereference skipping bad
 extension record 18.

read_record() assumed that read_extension_record() never set its output
argument to NULL when it returned true, but this is possible in an error
case.

CVE-2017-10792.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467005.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10792.
Reported by team OWL337, with fuzzer collAFL.

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index 57e1dc82..70a7411f 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -524,7 +524,7 @@ read_record (struct sfm_reader *r, int type,
              18.  I'm surprised that SPSS puts up with this. */
           struct sfm_extension_record *ext;
           bool ok = read_extension_record (r, subtype, &ext);
-          if (ok)
+          if (ok && ext)
             ll_push_tail (&r->var_attrs, &ext->ll);
           return ok;
         }
++++++ pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch 
++++++
From: Ben Pfaff <b...@cs.stanford.edu>
Date: Tue, 4 Jul 2017 12:58:55 -0400
Subject: [PATCH] sys-file-reader: Fix integer overflows in
 parse_long_string_missing_values().

Crafted system files caused integer overflow errors that in turn caused
aborts.  This fixes the problem.

CVE-2017-10791.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467004.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10791.
Found by team OWL337, using the collAFL fuzzer.

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index 70a7411f..8ab130c0 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -2464,7 +2464,8 @@ parse_long_string_value_labels (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name, width, and number of labels. */
-      if (!check_overflow (r, record, ofs, var_name_len + 8))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 8))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,
@@ -2582,7 +2583,8 @@ parse_long_string_missing_values (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name. */
-      if (!check_overflow (r, record, ofs, var_name_len + 1))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 1))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,

Reply via email to