Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package pspp [ Andreas Tille ] * Team upload. * Take over package into Debian Science team maintenance [ Ben Pfaff ] * Issue error message for too-large extension records. (CVE-2018-20230) Closes: #916902 unblock pspp/1.2.0-3 -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru pspp-1.2.0/debian/changelog pspp-1.2.0/debian/changelog --- pspp-1.2.0/debian/changelog 2018-11-26 07:50:21.000000000 +0100 +++ pspp-1.2.0/debian/changelog 2019-04-23 13:59:03.000000000 +0200 @@ -1,3 +1,15 @@ +pspp (1.2.0-3) unstable; urgency=medium + + [ Andreas Tille ] + * Team upload. + * Take over package into Debian Science team maintenance + + [ Ben Pfaff ] + * Issue error message for too-large extension records. (CVE-2018-20230) + Closes: #916902 + + -- Andreas Tille <ti...@debian.org> Tue, 23 Apr 2019 13:59:03 +0200 + pspp (1.2.0-2) unstable; urgency=low * Fixed regression error in segmentation diff -Nru pspp-1.2.0/debian/control pspp-1.2.0/debian/control --- pspp-1.2.0/debian/control 2018-11-26 07:50:21.000000000 +0100 +++ pspp-1.2.0/debian/control 2019-04-23 13:59:03.000000000 +0200 @@ -1,8 +1,9 @@ Source: pspp Section: math Priority: optional -Maintainer: Friedrich Beckmann <friedrich.beckm...@gmx.de> -Uploaders: Ben Pfaff <b...@cs.stanford.edu> +Maintainer: Debian Science Team <debian-science-maintain...@lists.alioth.debian.org> +Uploaders: Friedrich Beckmann <friedrich.beckm...@gmx.de>, + Ben Pfaff <b...@cs.stanford.edu> # postgresql is disabled on hurd-i386 in order to remove # postgres support which will not build on hurd-i386 # see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820743 @@ -29,6 +30,8 @@ libpq-dev, emacsen-common (>= 2.0.8) Standards-Version: 4.2.1 +Vcs-Browser: https://salsa.debian.org/science-team/pspp +Vcs-Git: https://salsa.debian.org/science-team/pspp.git Homepage: http://savannah.gnu.org/projects/pspp Package: pspp diff -Nru pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch --- pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch 1970-01-01 01:00:00.000000000 +0100 +++ pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch 2019-04-23 13:59:03.000000000 +0200 @@ -0,0 +1,126 @@ +From abd1f816ca3b4f382bddf4564ad092aa934f0ccc Mon Sep 17 00:00:00 2001 +Author: Ben Pfaff <b...@cs.stanford.edu> +Date: Tue, 1 Jan 2019 08:36:05 -0800 +Bug-Debian: https://bugs.debian.org/916902 +Subject: [PATCH 02/67] pspp-dump-sav: Issue error message for too-large + extension records. + +CVE-2018-20230. +--- + NEWS | 2 ++ + utilities/pspp-dump-sav.c | 30 ++++++++++++++++++------------ + 2 files changed, 20 insertions(+), 12 deletions(-) + +--- a/NEWS ++++ b/NEWS +@@ -4,6 +4,8 @@ See the end for copying conditions. + + Please send PSPP bug reports to bug-gnu-p...@gnu.org. + ++ * Bug fix for CVE-2018-20230. ++ + Changes from 1.0.1 to 1.2.0: + + * New experimental command SAVE DATA COLLECTION to save MDD files. +--- a/utilities/pspp-dump-sav.c ++++ b/utilities/pspp-dump-sav.c +@@ -37,6 +37,7 @@ + #include "gl/progname.h" + #include "gl/version-etc.h" + #include "gl/xalloc.h" ++#include "gl/xsize.h" + + #define ID_MAX_LEN 64 + +@@ -99,7 +100,7 @@ static void read_simple_compressed_data + static void read_zlib_compressed_data (struct sfm_reader *); + + static struct text_record *open_text_record ( +- struct sfm_reader *, size_t size); ++ struct sfm_reader *, size_t size, size_t count); + static void close_text_record (struct text_record *); + static bool read_variable_to_value_pair (struct text_record *, + char **key, char **value); +@@ -735,7 +736,7 @@ read_extra_product_info (struct sfm_read + const char *s; + + printf ("%08llx: extra product info\n", (long long int) ftello (r->file)); +- text = open_text_record (r, size * count); ++ text = open_text_record (r, size, count); + s = text_get_all (text); + print_string (s, strlen (s)); + close_text_record (text); +@@ -749,7 +750,7 @@ read_mrsets (struct sfm_reader *r, size_ + + printf ("%08llx: multiple response sets\n", + (long long int) ftello (r->file)); +- text = open_text_record (r, size * count); ++ text = open_text_record (r, size, count); + for (;;) + { + const char *name; +@@ -909,7 +910,7 @@ read_long_var_name_map (struct sfm_reade + + printf ("%08llx: long variable names (short => long)\n", + (long long int) ftello (r->file)); +- text = open_text_record (r, size * count); ++ text = open_text_record (r, size, count); + while (read_variable_to_value_pair (text, &var, &long_name)) + printf ("\t%s => %s\n", var, long_name); + close_text_record (text); +@@ -926,7 +927,7 @@ read_long_string_map (struct sfm_reader + + printf ("%08llx: very long strings (variable => length)\n", + (long long int) ftello (r->file)); +- text = open_text_record (r, size * count); ++ text = open_text_record (r, size, count); + while (read_variable_to_value_pair (text, &var, &length_s)) + printf ("\t%s => %d\n", var, atoi (length_s)); + close_text_record (text); +@@ -1004,7 +1005,7 @@ read_datafile_attributes (struct sfm_rea + struct text_record *text; + + printf ("%08llx: datafile attributes\n", (long long int) ftello (r->file)); +- text = open_text_record (r, size * count); ++ text = open_text_record (r, size, count); + read_attributes (r, text, "datafile"); + close_text_record (text); + } +@@ -1196,7 +1197,7 @@ read_variable_attributes (struct sfm_rea + struct text_record *text; + + printf ("%08llx: variable attributes\n", (long long int) ftello (r->file)); +- text = open_text_record (r, size * count); ++ text = open_text_record (r, size, count); + for (;;) + { + const char *variable = text_tokenize (text, ':'); +@@ -1389,18 +1390,23 @@ struct text_record + size_t pos; /* Current position in buffer. */ + }; + +-/* Reads SIZE bytes into a text record for R, ++/* Reads SIZE * COUNT bytes into a text record for R, + and returns the new text record. */ + static struct text_record * +-open_text_record (struct sfm_reader *r, size_t size) ++open_text_record (struct sfm_reader *r, size_t size, size_t count) + { + struct text_record *text = xmalloc (sizeof *text); +- char *buffer = xmalloc (size + 1); +- read_bytes (r, buffer, size); ++ ++ if (size_overflow_p (xsum (1, xtimes (size, count)))) ++ sys_error (r, "Extension record too large."); ++ ++ size_t n_bytes = size * count; ++ char *buffer = xmalloc (n_bytes + 1); ++ read_bytes (r, buffer, n_bytes); + buffer[size] = '\0'; + text->reader = r; + text->buffer = buffer; +- text->size = size; ++ text->size = n_bytes; + text->pos = 0; + return text; + } diff -Nru pspp-1.2.0/debian/patches/series pspp-1.2.0/debian/patches/series --- pspp-1.2.0/debian/patches/series 2018-11-26 07:50:21.000000000 +0100 +++ pspp-1.2.0/debian/patches/series 2019-04-23 13:59:03.000000000 +0200 @@ -1,3 +1,4 @@ move_appdata_directory.diff emacs_elpa.diff regression-segment-fix.patch +0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch