From ${URL} : Multiple vulnerabilities were found in the pspp library. CVE-2017-10791: There is an Integer overflow in the hash_int function of the libpspp library in GNU PSPP 0.10.5-pre2. For example, a crash was observed within the library code when attempting to convert invalid SPSS data into CSV format. A crafted input will lead to a denial of service attack. https://bugzilla.redhat.com/show_bug.cgi?id=1467004 CVE-2017-10792: There is a NULL Pointer Dereference in the function ll_insert() of the libpspp library in GNU PSPP 0.10.5-pre2. For example, a crash was observed within the library code when attempting to convert invalid SPSS data into CSV format. A crafted input will lead to a denial of service attack. https://bugzilla.redhat.com/show_bug.cgi?id=1467005 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From the pspp changelog: 2017-07-30 Ben Pfaff <blp@cs.stanford.edu> Update version number to 0.10.5-pre3. This pre-release is primarily to get the CVE-2017-10791 and CVE-2017-10792 fixes into a tarball for folks who find tarballs easier to work with. The latest release is 1.0.1 and contains the fixes for these CVE's. Gentoo Security Padawan Kivak
Created attachment 556302 [details] pspp-1.0.1.ebuild
Created attachment 556304 [details] 50pspp-gentoo.el
Added new ebuild, this works for me for a long time without any problems.
this would probably also solve: https://bugs.gentoo.org/513980 https://bugs.gentoo.org/669742 https://bugs.gentoo.org/670032 https://bugs.gentoo.org/640404
Arches please stabilize sci-mathematics/pspp-1.2.0
An automated check of this bug failed - repoman reported dependency errors (77 lines truncated): > dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['x11-libs/spread-sheet-widget'] > dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['x11-libs/spread-sheet-widget'] > dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['x11-libs/spread-sheet-widget']
x86 stable
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b876fbf030e9ef9958d178e4891155ed2753c23f commit b876fbf030e9ef9958d178e4891155ed2753c23f Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-01-26 01:35:46 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-01-26 01:35:46 +0000 sci-mathematics/pspp: Remove old Bug: https://bugs.gentoo.org/625724 Package-Manager: Portage-2.3.57, Repoman-2.3.12 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sci-mathematics/pspp/Manifest | 2 - sci-mathematics/pspp/pspp-0.10.1.ebuild | 78 --------------------------------- sci-mathematics/pspp/pspp-0.10.2.ebuild | 78 --------------------------------- 3 files changed, 158 deletions(-)
