On Wed, Dec 19, 2018 at 10:07:59PM -0800, Ben Pfaff wrote: > On Thu, Dec 20, 2018 at 06:22:14AM +0100, Salvatore Bonaccorso wrote: > > Source: pspp > > Version: 1.2.0-2 > > Severity: important > > Tags: security upstream > > > > Hi, > > > > The following vulnerability was published for pspp. > > > > CVE-2018-20230[0]: > > | An issue was discovered in PSPP 1.2.0. There is a heap-based buffer > > | overflow at the function read_bytes_internal in > > | utilities/pspp-dump-sav.c, which allows attackers to cause a denial of > > | service (application crash) or possibly have unspecified other impact. > > This is another instance of a recurring problem with PSPP, in which some > anonymous person reports a vulnerability to MITRE, but not to the > upstream authors or the pspp-security list, and so the authors only hear > about it when Red Hat and Debian file bugs based on it. It makes me > really mad.
Regardless of the questionable reporting done here, do you know if this bug has been addressed/reported upstream? Cheers, Moritz