Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 868618 (CVE-2022-39831, CVE-2022-39832) - sci-mathematics/pspp: multiple vulnerabilities
Summary: sci-mathematics/pspp: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-39831, CVE-2022-39832
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [ebuild/upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-05 16:47 UTC by John Helmert III
Modified: 2022-09-26 14:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-05 16:47:59 UTC
CVE-2022-39831 (https://savannah.gnu.org/bugs/?62977):

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. This issue is different from CVE-2018-20230.

CVE-2022-39832 (https://savannah.gnu.org/bugs/index.php?63000):

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_string in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:31:42 UTC
On both reports:

"I fixed it, by preventing the program from being installed: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=8596d6eb21e40ffaf9321d1cb779333de3126b50. Maybe people will fuzz things that are worthwhile now rather than a program that no one uses."