Hi Ben! On Wed, Dec 19, 2018 at 10:07:59PM -0800, Ben Pfaff wrote: > On Thu, Dec 20, 2018 at 06:22:14AM +0100, Salvatore Bonaccorso wrote: > > Source: pspp > > Version: 1.2.0-2 > > Severity: important > > Tags: security upstream > > > > Hi, > > > > The following vulnerability was published for pspp. > > > > CVE-2018-20230[0]: > > | An issue was discovered in PSPP 1.2.0. There is a heap-based buffer > > | overflow at the function read_bytes_internal in > > | utilities/pspp-dump-sav.c, which allows attackers to cause a denial of > > | service (application crash) or possibly have unspecified other impact. > > This is another instance of a recurring problem with PSPP, in which some > anonymous person reports a vulnerability to MITRE, but not to the > upstream authors or the pspp-security list, and so the authors only hear > about it when Red Hat and Debian file bugs based on it. It makes me > really mad.
I completely agree! Those reporter should not trow in such reports randomly in some bugzilla (we see that as well for the Debian BTS) but rather if they want to report it downstream, then as well take care to notify upstream. This seem not to have been happened here. > So, how did you find out about this vulnerability? I haven't found a > way to monitor the MITRE database for PSPP-related vulnerabilities. > They don't provide a way to do that (I even asked them a while back). We noticed it while monitoring the newly assigned CVEs from MITRE. The CVE list is updated regularly, which we twice a day import in the security-tracker data file and which we then later on loook at to further investigate. Regards, Salvatore
