Bugzilla – Bug 1120061
VUL-1: CVE-2018-20230: pspp: a heap-based buffer overflow in read_bytes_internal can cause DOS
Last modified: 2019-07-11 15:59:18 UTC
CVE-2018-20230 An issue was discovered in PSPP 1.2.0. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20230 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20230.html http://www.cvedetails.com/cve/CVE-2018-20230/ https://bugzilla.redhat.com/show_bug.cgi?id=1660318
openSUSE current releases have 1.0.1 version. Here also exist problem while opening "poc" file from <https://bugzilla.redhat.com/attachment.cgi?id=1515222> > pspp-dump-sav poc File header record: Product name: @(#) SPSS DATA FILE MS Windows Release 12.0 spssio32.dll Layout code: 2 Compressed: 1 (simple compression) Weight index: 0 Number of cases: 10 Compression bias: 100 Creation date: 30 Jan 13 Creation time: 14:34:58 File label: "" 000000b4: variable record #0 Width: 0 (numeric) Variable label: 0 Missing values code: 0 (no missing values) Print format: 050802 (F8.2) Write format: 050802 (F8.2) Name: VAR00001 000000d4: variable record #1 Width: 0 (numeric) Variable label: 0 Missing values code: 0 (no missing values) Print format: 050802 (F8.2) Write format: 050802 (F8.2) Name: VAR00002 000000f4: variable record #2 Width: 0 (numeric) Variable label: 0 Missing values code: 0 (no missing values) Print format: 050802 (F8.2) Write format: 050802 (F8.2) Name: VAR00003 00000114: variable record #3 Width: 1 (string) Variable label: 0 Missing values code: 0 (no missing values) Print format: 010100 (A1.0) Write format: 010100 (A1.0) Name: VAR00004 00000134: value labels record 1/"": "Male" 2/"": "Female" 0000015c: apply to variables #2 00000168: value labels record 2/"": "Student" 3/"": "Employed" 4/"": "Unemployed" 000001b0: apply to variables #3 000001bc: Record 7, subtype 18, size=4, count=8 000001c8: variable attributes 000001ec: Record 7, subtype 4, size=8, count=3 000001f8: machine float info sysmis: -1.797693134862316e+308 (-0x1.fffffffffffffp+1023) highest: 1.797693134862316e+308 (0x1.fffffffffffffp+1023) lowest: -1.797693134862316e+308 (-0x1.ffffffffffffep+1023) 00000214: Record 7, subtype 11, size=4, count=12 00000220: variable display parameters Var #0: measure=3 (scale), width=8, align=1 (right) Var #1: measure=1 (nominal), width=8, align=1 (right) Var #2: measure=3 (scale), width=8, align=1 (right) Var #3: measure=1 (nominal), width=8, align=0 (left) 00000254: Record 7, subtype 13, size=1, count=18446744073709551615 00000260: long variable names (short => long) "poc" near offset 0x327: System error: Bad address.
Bug fix commited upstream yesterday: http://git.savannah.gnu.org/gitweb/?p=pspp.git;a=commitdiff;h=abd1f816ca3b4f382bddf4564ad092aa934f0ccc I compiled PSPP from today's tarball https://pspp.benpfaff.org/~blp/pspp-master/latest/source/pspp-1.2.0-g2f3fa7.tar.gz with this version I get this message at end of request: > pspp-dump-sav poc ... 00000254: Record 7, subtype 13, size=1, count=18446744073709551615 00000260: long variable names (short => long) "poc" near offset 0x260: Extension record too large.
Patched version now can be found at https://build.opensuse.org/package/show/Education/pspp?rev=36 and requested to submit into Factory: https://build.opensuse.org/request/show/662683
Factory/Tumbleweed now has fixed version. Update submitted to openSUSE Leap 15.1: https://build.opensuse.org/request/show/670611 I doubt if we really need to update versions for openSUSE Leap 42.3 and 15.0. What do you think?
(In reply to Mindaugas Baranauskas from comment #4) > Factory/Tumbleweed now has fixed version. > > Update submitted to openSUSE Leap 15.1: > https://build.opensuse.org/request/show/670611 > > I doubt if we really need to update versions for openSUSE Leap 42.3 and > 15.0. What do you think? Normally we like to have security fixes also in LEAP.
This is an autogenerated message for OBS integration: This bug (1120061) was mentioned in https://build.opensuse.org/request/show/671015 42.3 / pspp+spread-sheet-widget https://build.opensuse.org/request/show/671017 15.0 / pspp+spread-sheet-widget
openSUSE-SU-2019:0198-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1120061 CVE References: CVE-2018-20230 Sources used: openSUSE Leap 15.0 (src): pspp-1.2.0-lp150.2.3.1, spread-sheet-widget-0.3-lp150.2.1
openSUSE-SU-2019:0212-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1120061 CVE References: CVE-2018-20230 Sources used: openSUSE Leap 42.3 (src): pspp-1.2.0-11.1, spread-sheet-widget-0.3-2.1
openSUSE-SU-2019:0240-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1120061 CVE References: CVE-2018-20230 Sources used: openSUSE Backports SLE-15 (src): pspp-1.2.0-bp150.3.3.1, spread-sheet-widget-0.3-bp150.2.1
This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime
actually fixed