Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 711142 (CVE-2019-17544)

Summary: <app-text/aspell-0.60.8: stack-based buffer over-read in acommon::unescape in common/getdata.cpp (CVE-2019-17544)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-wanted
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109
See Also: https://github.com/gentoo/gentoo/pull/14967
Whiteboard: B3 [noglsa cve]
Package list:
app-text/aspell-0.60.8
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 03:57:48 UTC 
Description:
"libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over-read in acommon::unescape in common/getdata.cpp via an isolated \ character."

Patch: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 03:58:50 UTC 
NOTE: Marked as A3 because unknown exploitability. Could arguably be A2.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-02 22:24:11 UTC 
app-text/aspell is B category.
Comment 3 Agostino Sarubbo gentoo-dev 2020-03-03 11:08:28 UTC 
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-03 11:46:29 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-03 12:36:39 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-03 12:39:45 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-03 12:40:52 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-03 13:41:40 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-03 15:14:53 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-04 08:08:01 UTC 
ia64 stable
Comment 11 Rolf Eike Beer archtester 2020-03-11 17:25:33 UTC 
hppa stable
Comment 12 Mart Raudsepp gentoo-dev 2020-03-13 09:26:38 UTC 
arm64 stable
Comment 13 Larry the Git Cow gentoo-dev 2020-03-15 21:15:51 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=297f863bdf8c040987fc3ec6208cff5931eb8f92

commit 297f863bdf8c040987fc3ec6208cff5931eb8f92
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-15 17:24:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-15 21:15:43 +0000

    app-text/aspell: Drop vulnerable
    
    Versions <app-text/aspell-0.60.8 are vulnerable, drop them.
    
    Closes: https://bugs.gentoo.org/711142
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/14967
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-text/aspell/Manifest                 |   2 -
 app-text/aspell/aspell-0.60.7.ebuild     | 103 -------------------------------
 app-text/aspell/aspell-0.60.7_rc1.ebuild | 100 ------------------------------
 3 files changed, 205 deletions(-)
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 21:16:55 UTC 
GLSA Vote: No!

Repository is clean, all done!