On Wed, Dec 19, 2018 at 10:07:59PM -0800, Ben Pfaff wrote:
> On Thu, Dec 20, 2018 at 06:22:14AM +0100, Salvatore Bonaccorso wrote:
> > Source: pspp
> > Version: 1.2.0-2
> > Severity: important
> > Tags: security upstream
> >
> > Hi,
> >
> > The following vulnerability was published for pspp.
> >
> > CVE-2018-20230[0]:
> > | An issue was discovered in PSPP 1.2.0. There is a heap-based buffer
> > | overflow at the function read_bytes_internal in
> > | utilities/pspp-dump-sav.c, which allows attackers to cause a denial of
> > | service (application crash) or possibly have unspecified other impact.
>
> This is another instance of a recurring problem with PSPP, in which some
> anonymous person reports a vulnerability to MITRE, but not to the
> upstream authors or the pspp-security list, and so the authors only hear
> about it when Red Hat and Debian file bugs based on it. It makes me
> really mad.
Regardless of the questionable reporting done here, do you know if this
bug has been addressed/reported upstream?
Cheers,
Moritz
