CVE-2022-39831 (https://savannah.gnu.org/bugs/?62977): An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. This issue is different from CVE-2018-20230. CVE-2022-39832 (https://savannah.gnu.org/bugs/index.php?63000): An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_string in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
On both reports: "I fixed it, by preventing the program from being installed: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=8596d6eb21e40ffaf9321d1cb779333de3126b50. Maybe people will fuzz things that are worthwhile now rather than a program that no one uses."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1542309301fd9e3f4e35c8685ef956b6f9f58377 commit 1542309301fd9e3f4e35c8685ef956b6f9f58377 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2022-12-31 16:52:55 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-01-01 14:27:06 +0000 sci-mathematics/pspp: new revision to fix a few security and QA issues. We fix CVE-2022-39831 and CVE-2022-39832 the same way upstream did, by refusing to install the vulnerable program (which was mainly only used for debugging anyway). We now also use a more accurate LICENSE, and add a patch to fix underlinking visible with lld/mold. Bug: https://bugs.gentoo.org/868618 Closes: https://bugs.gentoo.org/732048 Closes: https://bugs.gentoo.org/877751 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> .../pspp/files/pspp-1.6.2-underlinking.patch | 27 +++++++ sci-mathematics/pspp/pspp-1.6.2-r2.ebuild | 88 ++++++++++++++++++++++ 2 files changed, 115 insertions(+)
Thanks! Please stable when ready. Upstream's rationale about impact seems reasonable so no GLSA.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e42bb93364b17252b6989b77566c9116e1ce7525 commit e42bb93364b17252b6989b77566c9116e1ce7525 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2023-01-23 20:55:25 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-01-23 20:58:23 +0000 sci-mathematics/pspp: drop 1.6.0-r1, 1.6.2-r1 Bug: https://bugs.gentoo.org/868618 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> sci-mathematics/pspp/Manifest | 1 - sci-mathematics/pspp/pspp-1.6.0-r1.ebuild | 82 ------------------------------ sci-mathematics/pspp/pspp-1.6.2-r1.ebuild | 84 ------------------------------- 3 files changed, 167 deletions(-)
Thanks, all done.
