Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
On Mon, Jul 03, 2017 at 11:37:30PM +0200, Friedrich Beckmann wrote: Hi John, today I looked a little bit at the hash function. I think the problem is that compared to the referenced code the x parameter is type int instead of unsigned int. Googling around the overflow behavior of signed and the shift right of signed is not defined in the c standard although ???many?" implementations assume 2th complement signed implementation. Both is well defined for unsigned int operations. Ahh. Perhaps you're right. But I cannot see that this would cause a crash, so I suspect that's another problem. I changed the parameter type from int to unsigned int and I cannot see a problem in the regression. What problems did you encounter before your change (if any)? But looking at the code I wondered if this hash function also works on 64 Bit architectures. The reference only talks about uint32_t. I cannot see that it wouldn't "work". But it might not create such an efficient hash. Anyway maybe Ben will be able to have a look soon. J' -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
Re: pspp - cve-2017-10791 - cve-2017-10792
I suspect this report is mistaken. But this bit is Ben's code, so I'll let him comment on that. J' On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote: Dear owl337 team, thanks for looking at pspp and finding the security problems https://security-tracker.debian.org/tracker/CVE-2017-10791 and https://security-tracker.debian.org/tracker/CVE-2017-10792 in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do you have some information about collAFL? Regards Friedrich ___ pspp-dev mailing list pspp-...@gnu.org https://lists.gnu.org/mailman/listinfo/pspp-dev -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
