On Fri, 30 Aug 2019, Agustin Martin wrote:
On Thu, Aug 29, 2019 at 12:20:28AM +0200, Agustin Martin wrote:
On Mon, Aug 19, 2019 at 04:33:40PM -0400, Kevin Atkinson wrote:
On Mon, 19 Aug 2019, Salvatore Bonaccorso wrote:
See https://lists.gnu.org/archive/html/aspell-announce/2019-08/msg00000.html
Within Debian the "pumpa" will need an update. Others might be
required as well. Kevin Atkinson might be up for help if needed.
Also see http://aspell.net/buffer-overread-ucs.txt for a slightly improved
version of the announcement that I edited for clarity.
Hi all,
This message is sent to all packages that depend in some way on
libaspell15 (pdo addresses bcc'ed)
A potentially unbounded buffer over-read has been found in in GNU
Aspell 0.60.*. Package aspell 0.60.7-1 has been uploaded to Debian
experimental, including upstream patch to deal with this problem.
Unfortunately this fix may break applications that use null-terminated
UCS-2 or UCS-4 strings with the C API. These applications will need
to be fixed to make use of the new more secure API in order to
continue to have a functional spell checker.
This is the list of non aspell packages depending on libaspell15 which
are possibly affected (maintainers bcc'ed).
I did a preliminary analysis of most of these packages and here is what I
found:
eiskaltdcpp-qt -- no -- utf-8
enchant -- no -- utf-8
gnustep-gui-runtime -- no -- utf-8
inkscape -- no -- utf-8
kdelibs5-plugins
libenchant1c2a -- no -- utf-8
libenchant2 -- unlikely -- [1]
libenchant-voikko -- unlikely -- [2]
librcc0
libtext-aspell-perl
mcabber -- no -- user can set encoding, but always passes in length
php7.3-pspell
pumpa -- YES
raspell
sonnet-plugins
tea -- no -- utf-8
weechat-plugins -- unlikely -- [3]
xmlcopyeditor
yagf
"utf-8" means that it sets the encoding to utf-8
[1] I didn't check libenchant2 but it still likely sets the encoding to
utf-8, but this should be verified.
[2] libenchant-voikko is a plugin for enchant to use the voikko spell checker
so I am not sure why it would directly use aspell
[3] unsure what is going on with weechat, it will use enchant if available so
the encoding is likely in utf-8, unsure what will happen if the ucs-2 encoding
is set in an aspell config file
KevinA
(Aspell Maintainer)
