[Bug 1120061] New: VUL-1: CVE-2018-20230: pspp: a heap-based buffer overflow in read_bytes_internal can cause DOS
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061 Bug ID: 1120061 Summary: VUL-1: CVE-2018-20230: pspp: a heap-based buffer overflow in read_bytes_internal can cause DOS Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/221456/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: opensuse.lietuviu.kalba@gmail.com Reporter: atoptsoglou@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2018-20230 An issue was discovered in PSPP 1.2.0. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20230 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20230.html http://www.cvedetails.com/cve/CVE-2018-20230/ https://bugzilla.redhat.com/show_bug.cgi?id=1660318 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061#c1
--- Comment #1 from Mindaugas Baranauskas
pspp-dump-sav poc File header record: Product name: @(#) SPSS DATA FILE MS Windows Release 12.0 spssio32.dll Layout code: 2 Compressed: 1 (simple compression) Weight index: 0 Number of cases: 10 Compression bias: 100 Creation date: 30 Jan 13 Creation time: 14:34:58 File label: "" 000000b4: variable record #0 Width: 0 (numeric) Variable label: 0 Missing values code: 0 (no missing values) Print format: 050802 (F8.2) Write format: 050802 (F8.2) Name: VAR00001 000000d4: variable record #1 Width: 0 (numeric) Variable label: 0 Missing values code: 0 (no missing values) Print format: 050802 (F8.2) Write format: 050802 (F8.2) Name: VAR00002 000000f4: variable record #2 Width: 0 (numeric) Variable label: 0 Missing values code: 0 (no missing values) Print format: 050802 (F8.2) Write format: 050802 (F8.2) Name: VAR00003 00000114: variable record #3 Width: 1 (string) Variable label: 0 Missing values code: 0 (no missing values) Print format: 010100 (A1.0) Write format: 010100 (A1.0) Name: VAR00004 00000134: value labels record 1/"": "Male" 2/"": "Female" 0000015c: apply to variables #2 00000168: value labels record 2/"": "Student" 3/"": "Employed" 4/"": "Unemployed" 000001b0: apply to variables #3 000001bc: Record 7, subtype 18, size=4, count=8 000001c8: variable attributes 000001ec: Record 7, subtype 4, size=8, count=3 000001f8: machine float info sysmis: -1.797693134862316e+308 (-0x1.fffffffffffffp+1023) highest: 1.797693134862316e+308 (0x1.fffffffffffffp+1023) lowest: -1.797693134862316e+308 (-0x1.ffffffffffffep+1023) 00000214: Record 7, subtype 11, size=4, count=12 00000220: variable display parameters Var #0: measure=3 (scale), width=8, align=1 (right) Var #1: measure=1 (nominal), width=8, align=1 (right) Var #2: measure=3 (scale), width=8, align=1 (right) Var #3: measure=1 (nominal), width=8, align=0 (left) 00000254: Record 7, subtype 13, size=1, count=18446744073709551615 00000260: long variable names (short => long) "poc" near offset 0x327: System error: Bad address.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061#c2
--- Comment #2 from Mindaugas Baranauskas
pspp-dump-sav poc ... 00000254: Record 7, subtype 13, size=1, count=18446744073709551615 00000260: long variable names (short => long) "poc" near offset 0x260: Extension record too large.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061#c3
Mindaugas Baranauskas
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061#c4
--- Comment #4 from Mindaugas Baranauskas
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061
http://bugzilla.opensuse.org/show_bug.cgi?id=1120061#c5
--- Comment #5 from Alexandros Toptsoglou
Factory/Tumbleweed now has fixed version.
Update submitted to openSUSE Leap 15.1: https://build.opensuse.org/request/show/670611
I doubt if we really need to update versions for openSUSE Leap 42.3 and 15.0. What do you think?
Normally we like to have security fixes also in LEAP. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com