I looked for dependent packages in oe-core and in meta-oe with grep and found
only enchant
and enchant2 although I was able to build both of them having the aspell patch
applied.
Best regards,
Stefan Ghinea
On 3/12/20 14:25, Mittal, Anuj wrote:
It looks like this is changing the API. I
Yes, you are correct. White listing isn't right either.
-Mikko
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
> -Original Message-
> From: mikko.rap...@bmw.de
> Sent: Thursday, March 12, 2020 08:34 PM
> To: Mittal, Anuj
> Cc: openembedded-core@lists.openembedded.org; stefan.ghi...@windriver.com
> Subject: Re: [OE-core] [PATCH] [zeus] aspell: CVE-2019-20433
>
> On Th
On Thu, Mar 12, 2020 at 12:34:19PM +, mikko.rap...@bmw.de wrote:
> On Thu, Mar 12, 2020 at 12:25:21PM +, Mittal, Anuj wrote:
> > It looks like this is changing the API. I wonder if this would need any
> > other change or break something elsewhere in OE-core, meta-oe?
> >
> >
On Thu, Mar 12, 2020 at 12:25:21PM +, Mittal, Anuj wrote:
> It looks like this is changing the API. I wonder if this would need any
> other change or break something elsewhere in OE-core, meta-oe?
>
> http://aspell.net/buffer-overread-ucs.txt
Debian classified issues as minor and fixed only
It looks like this is changing the API. I wonder if this would need any
other change or break something elsewhere in OE-core, meta-oe?
http://aspell.net/buffer-overread-ucs.txt
Thanks,
Anuj
On Thu, 2020-03-12 at 11:23 +0200, Stefan Ghinea wrote:
> libaspell.a in GNU Aspell before 0.60.8 has a
libaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a string
ending with a single '\0' byte, if the encoding is set to ucs-2 or ucs-4
outside of the application, as demonstrated by the ASPELL_CONF environment
variable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-20433
