On Thu, Dec 20, 2018 at 06:22:14AM +0100, Salvatore Bonaccorso wrote: > Source: pspp > Version: 1.2.0-2 > Severity: important > Tags: security upstream > > Hi, > > The following vulnerability was published for pspp. > > CVE-2018-20230[0]: > | An issue was discovered in PSPP 1.2.0. There is a heap-based buffer > | overflow at the function read_bytes_internal in > | utilities/pspp-dump-sav.c, which allows attackers to cause a denial of > | service (application crash) or possibly have unspecified other impact.
This is another instance of a recurring problem with PSPP, in which some anonymous person reports a vulnerability to MITRE, but not to the upstream authors or the pspp-security list, and so the authors only hear about it when Red Hat and Debian file bugs based on it. It makes me really mad. So, how did you find out about this vulnerability? I haven't found a way to monitor the MITRE database for PSPP-related vulnerabilities. They don't provide a way to do that (I even asked them a while back). Thanks, Ben.
