Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 625724 (CVE-2017-10791, CVE-2017-10792)

Summary: <sci-mathematics/pspp-1.2.0: two vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pavol.cupka, sci-mathematics
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1472861
Whiteboard: B3 [noglsa cve]
Package list:
sci-mathematics/pspp-1.2.0 x11-libs/spread-sheet-widget-0.3
Runtime testing required: ---
Attachments:
Description Flags
pspp-1.0.1.ebuild
none
50pspp-gentoo.el none

Description Agostino Sarubbo gentoo-dev 2017-07-20 12:42:20 UTC
From ${URL} :

Multiple vulnerabilities were found in the pspp library.

CVE-2017-10791:

There is an Integer overflow in the hash_int function of the libpspp library in GNU PSPP 0.10.5-pre2. For example, a crash was observed within the library code when attempting to convert invalid SPSS 
data into CSV format. A crafted input will lead to a denial of service attack.

https://bugzilla.redhat.com/show_bug.cgi?id=1467004

CVE-2017-10792:

There is a NULL Pointer Dereference in the function ll_insert() of the libpspp library in GNU PSPP 0.10.5-pre2. For example, a crash was observed within the library code when attempting to convert 
invalid SPSS data into CSV format. A crafted input will lead to a denial of service attack.

https://bugzilla.redhat.com/show_bug.cgi?id=1467005


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aleksandr Wagner (Kivak) 2017-09-25 22:08:35 UTC
From the pspp changelog:

2017-07-30  Ben Pfaff  <blp@cs.stanford.edu>

   Update version number to 0.10.5-pre3.
   This pre-release is primarily to get the CVE-2017-10791 and CVE-2017-10792
   fixes into a tarball for folks who find tarballs easier to work with.


The latest release is 1.0.1 and contains the fixes for these CVE's.

Gentoo Security Padawan
Kivak
Comment 2 Pavol Cupka 2018-11-26 17:09:07 UTC
Created attachment 556302 [details]
pspp-1.0.1.ebuild
Comment 3 Pavol Cupka 2018-11-26 17:10:03 UTC
Created attachment 556304 [details]
50pspp-gentoo.el
Comment 4 Pavol Cupka 2018-11-26 17:11:00 UTC
Added new ebuild, this works for me for a long time without any problems.
Comment 6 Andreas K. Hüttel gentoo-dev 2019-01-01 19:17:44 UTC
Arches please stabilize sci-mathematics/pspp-1.2.0
Comment 7 Stabilization helper bot gentoo-dev 2019-01-01 20:00:39 UTC
An automated check of this bug failed - repoman reported dependency errors (77 lines truncated): 

> dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['x11-libs/spread-sheet-widget']
> dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['x11-libs/spread-sheet-widget']
> dependency.bad sci-mathematics/pspp/pspp-1.2.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['x11-libs/spread-sheet-widget']
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-01-02 19:02:26 UTC
x86 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-01-17 16:59:10 UTC
amd64 stable
Comment 10 Larry the Git Cow gentoo-dev 2019-01-26 01:35:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b876fbf030e9ef9958d178e4891155ed2753c23f

commit b876fbf030e9ef9958d178e4891155ed2753c23f
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-01-26 01:35:46 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-01-26 01:35:46 +0000

    sci-mathematics/pspp: Remove old
    
    Bug: https://bugs.gentoo.org/625724
    Package-Manager: Portage-2.3.57, Repoman-2.3.12
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 sci-mathematics/pspp/Manifest           |  2 -
 sci-mathematics/pspp/pspp-0.10.1.ebuild | 78 ---------------------------------
 sci-mathematics/pspp/pspp-0.10.2.ebuild | 78 ---------------------------------
 3 files changed, 158 deletions(-)