Hello community, here is the log from the commit of package pspp for openSUSE:Factory checked in at 2017-08-10 14:04:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pspp (Old) and /work/SRC/openSUSE:Factory/.pspp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pspp" Thu Aug 10 14:04:33 2017 rev:5 rq:513105 version:0.10.2 Changes: -------- --- /work/SRC/openSUSE:Factory/pspp/pspp.changes 2017-02-07 12:08:31.130741743 +0100 +++ /work/SRC/openSUSE:Factory/.pspp.new/pspp.changes 2017-08-10 14:12:50.362234030 +0200 @@ -1,0 +2,8 @@ +Sat Jul 29 19:17:10 UTC 2017 - [email protected] + +- Add pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch + to fix NULL Pointer dereference in ll_insert (bnc#1046997, CVE-2017-10792). +- Add pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch + to fix Integer overflow in the hash_int library (bnc#1046998, CVE-2017-10791). + +------------------------------------------------------------------- New: ---- pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pspp.spec ++++++ --- /var/tmp/diff_new_pack.nXc5vP/_old 2017-08-10 14:12:51.434083113 +0200 +++ /var/tmp/diff_new_pack.nXc5vP/_new 2017-08-10 14:12:51.442081987 +0200 @@ -2,7 +2,7 @@ # Copyright (c) 2008 Matj Cepl <[email protected]> # Copyright (c) 2008 D. Steuer <[email protected]> -# Copyright (c) 2010-2015 embar <[email protected]> +# Copyright (c) 2010-2017 <[email protected]> # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,7 +14,7 @@ # published by the Open Source Initiative. # Usable with currently supported openSUSE releases -# 13.2, 42.1 +# 13.2, 42.1, 42.2, 42.3 # Variable gitversion is part of build name, for example, gitversion of 0.7.6-g08d746 is g08d746 # it help to build from git @@ -36,6 +36,10 @@ URL: http://www.gnu.org/software/pspp/ Source0: ftp://ftp.gnu.org/pub/gnu/pspp/pspp-0.10.2.tar.gz #ftp://ftp.gnu.org/pub/gnu/pspp/pspp-{version}.tar.gz +# PATCH-FIX-UPSTREAM pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch bnc#1046997 CVE-2017-10792 +Patch1: pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch +# PATCH-FIX-UPSTREAM pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch bnc#1046998 CVE-2017-10791 +Patch2: pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch BuildRoot: %{_tmppath}/pspp-root %if 0%{?centos_version} @@ -126,6 +130,8 @@ %else %setup -n pspp-%{version} %endif +%patch1 -p1 +%patch2 -p1 %if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_version} || 0%{?mandriva_version} %build ++++++ pspp-0001-sys-file-reader-Avoid-null-dereference-skipping-bad-.patch ++++++ From: Ben Pfaff <[email protected]> Date: Tue, 4 Jul 2017 12:54:47 -0400 Subject: [PATCH] sys-file-reader: Avoid null dereference skipping bad extension record 18. read_record() assumed that read_extension_record() never set its output argument to NULL when it returned true, but this is possible in an error case. CVE-2017-10792. See also https://bugzilla.redhat.com/show_bug.cgi?id=1467005. See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890. See also https://security-tracker.debian.org/tracker/CVE-2017-10792. Reported by team OWL337, with fuzzer collAFL. diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c index 57e1dc82..70a7411f 100644 --- a/src/data/sys-file-reader.c +++ b/src/data/sys-file-reader.c @@ -524,7 +524,7 @@ read_record (struct sfm_reader *r, int type, 18. I'm surprised that SPSS puts up with this. */ struct sfm_extension_record *ext; bool ok = read_extension_record (r, subtype, &ext); - if (ok) + if (ok && ext) ll_push_tail (&r->var_attrs, &ext->ll); return ok; } ++++++ pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch ++++++ From: Ben Pfaff <[email protected]> Date: Tue, 4 Jul 2017 12:58:55 -0400 Subject: [PATCH] sys-file-reader: Fix integer overflows in parse_long_string_missing_values(). Crafted system files caused integer overflow errors that in turn caused aborts. This fixes the problem. CVE-2017-10791. See also https://bugzilla.redhat.com/show_bug.cgi?id=1467004. See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890. See also https://security-tracker.debian.org/tracker/CVE-2017-10791. Found by team OWL337, using the collAFL fuzzer. diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c index 70a7411f..8ab130c0 100644 --- a/src/data/sys-file-reader.c +++ b/src/data/sys-file-reader.c @@ -2464,7 +2464,8 @@ parse_long_string_value_labels (struct sfm_reader *r, ofs += 4; /* Parse variable name, width, and number of labels. */ - if (!check_overflow (r, record, ofs, var_name_len + 8)) + if (!check_overflow (r, record, ofs, var_name_len) + || !check_overflow (r, record, ofs, var_name_len + 8)) return; var_name = recode_string_pool ("UTF-8", dict_encoding, (const char *) record->data + ofs, @@ -2582,7 +2583,8 @@ parse_long_string_missing_values (struct sfm_reader *r, ofs += 4; /* Parse variable name. */ - if (!check_overflow (r, record, ofs, var_name_len + 1)) + if (!check_overflow (r, record, ofs, var_name_len) + || !check_overflow (r, record, ofs, var_name_len + 1)) return; var_name = recode_string_pool ("UTF-8", dict_encoding, (const char *) record->data + ofs,
