| Summary: | <sci-mathematics/pspp-1.2.0: two vulnerabilities | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | minor | CC: | pavol.cupka, sci-mathematics | ||||||
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1472861 | ||||||||
| Whiteboard: | B3 [noglsa cve] | ||||||||
| Package list: |
sci-mathematics/pspp-1.2.0
x11-libs/spread-sheet-widget-0.3
|
Runtime testing required: | --- | ||||||
| Attachments: |
|
||||||||
From the pspp changelog: 2017-07-30 Ben Pfaff <blp@cs.stanford.edu> Update version number to 0.10.5-pre3. This pre-release is primarily to get the CVE-2017-10791 and CVE-2017-10792 fixes into a tarball for folks who find tarballs easier to work with. The latest release is 1.0.1 and contains the fixes for these CVE's. Gentoo Security Padawan Kivak Created attachment 556302 [details]
pspp-1.0.1.ebuild
Created attachment 556304 [details]
50pspp-gentoo.el
Added new ebuild, this works for me for a long time without any problems. this would probably also solve: https://bugs.gentoo.org/513980 https://bugs.gentoo.org/669742 https://bugs.gentoo.org/670032 https://bugs.gentoo.org/640404 Arches please stabilize sci-mathematics/pspp-1.2.0 An automated check of this bug failed - repoman reported dependency errors (77 lines truncated):
> dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['x11-libs/spread-sheet-widget']
> dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['x11-libs/spread-sheet-widget']
> dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['x11-libs/spread-sheet-widget']
x86 stable amd64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b876fbf030e9ef9958d178e4891155ed2753c23f commit b876fbf030e9ef9958d178e4891155ed2753c23f Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-01-26 01:35:46 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-01-26 01:35:46 +0000 sci-mathematics/pspp: Remove old Bug: https://bugs.gentoo.org/625724 Package-Manager: Portage-2.3.57, Repoman-2.3.12 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sci-mathematics/pspp/Manifest | 2 - sci-mathematics/pspp/pspp-0.10.1.ebuild | 78 --------------------------------- sci-mathematics/pspp/pspp-0.10.2.ebuild | 78 --------------------------------- 3 files changed, 158 deletions(-) |
From ${URL} : Multiple vulnerabilities were found in the pspp library. CVE-2017-10791: There is an Integer overflow in the hash_int function of the libpspp library in GNU PSPP 0.10.5-pre2. For example, a crash was observed within the library code when attempting to convert invalid SPSS data into CSV format. A crafted input will lead to a denial of service attack. https://bugzilla.redhat.com/show_bug.cgi?id=1467004 CVE-2017-10792: There is a NULL Pointer Dereference in the function ll_insert() of the libpspp library in GNU PSPP 0.10.5-pre2. For example, a crash was observed within the library code when attempting to convert invalid SPSS data into CSV format. A crafted input will lead to a denial of service attack. https://bugzilla.redhat.com/show_bug.cgi?id=1467005 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.