Source: pspp
Version: 1.2.0-2
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for pspp.

CVE-2018-20230[0]:
| An issue was discovered in PSPP 1.2.0. There is a heap-based buffer
| overflow at the function read_bytes_internal in
| utilities/pspp-dump-sav.c, which allows attackers to cause a denial of
| service (application crash) or possibly have unspecified other impact.

> ==6100==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x602000000471 at pc 0x7fa0eba71110 bp 0x7ffcb1f6d0f0 sp 0x7ffcb1f6c8a0
> WRITE of size 199 at 0x602000000471 thread T0                          
>     #0 0x7fa0eba7110f  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x9810f)
>     #1 0x40d1a9 in read_bytes_internal utilities/pspp-dump-sav.c:1585
>     #2 0x40d2c9 in read_bytes utilities/pspp-dump-sav.c:1601
>     #3 0x40c0e6 in open_text_record utilities/pspp-dump-sav.c:1399
>     #4 0x40a13c in read_long_var_name_map utilities/pspp-dump-sav.c:912
>     #5 0x40943a in read_extension_record utilities/pspp-dump-sav.c:626
>     #6 0x407340 in main utilities/pspp-dump-sav.c:218
>     #7 0x7fa0eb20d09a in __libc_start_main ../csu/libc-start.c:308
>     #8 0x4024d9 in _start (/tmp/pspp-1.2.0/utilities/pspp-dump-sav+0x4024d9)
>                                                                        
> 0x602000000471 is located 0 bytes to the right of 1-byte region 
> [0x602000000470,0x602000000471)
> allocated by thread T0 here:
>     #0 0x7fa0ebac1ed0 in __interceptor_malloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
>     #1 0x40f138 in xmalloc gl/xmalloc.c:41
>     #2 0x40c0cb in open_text_record utilities/pspp-dump-sav.c:1398
>     #3 0x40a13c in read_long_var_name_map utilities/pspp-dump-sav.c:912
>     #4 0x40943a in read_extension_record utilities/pspp-dump-sav.c:626
>     #5 0x407340 in main utilities/pspp-dump-sav.c:218
>     #6 0x7fa0eb20d09a in __libc_start_main ../csu/libc-start.c:308
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x9810f)
> Shadow bytes around the buggy address:
>   0x0c047fff8030: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
>   0x0c047fff8040: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
>   0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
>   0x0c047fff8060: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
>   0x0c047fff8070: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
> =>0x0c047fff8080: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[01]fa
>   0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==6100==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20230
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20230
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1660318

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to