Bug 1683499
| Summary: | There is a reachable assertion abort in the function write_long_string_missing_values() in sys-file-writer.c of the libpspp library in GNU PSPP 1.2.0 that will lead to denial of service. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | seri0us <teamseri0us360> | ||||
| Component: | pspp | Assignee: | Peter Lemenkov <lemenkov> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | amello, blp, lemenkov | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pspp-1.2.0-2.fc30 pspp-1.2.0-2.fc29 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-04-03 00:39:19 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I fixed this on PSPP master with commit 0b842a843537 ("sys-file-writer: Remove assertions based on file position.").
seri0us, are you the person who discovered the bug? If so, I hope you realize how antisocial it is to report security bugs only to downstream distributors like Red Hat and Debian and to aggregators like MITRE. The polite thing to do is to report security bugs to software authors and maintainers some days or weeks before anyone else, to give them a chance to fix the problems before they affect the public.
Thanks for your reply! Sorry about my mistake. I will correct my action and report this issue to my team. @seri0us Thank you! pspp-1.2.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de pspp-1.2.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1539022 [details] poc Description of problem: There is a reachable assertion abort in the function write_long_string_missing_values() in sys-file-writer.c of the libpspp library in GNU PSPP 1.2.0 that will lead to remote denial of service. Version-Release number of selected component (if applicable): 1.2.0 How reproducible: pspp-convert poc -O sav /dev/null Actual results: assertion abort Additional info: output ``` pspp-convert: src/data/sys-file-writer.c:1090: void write_long_string_missing_values(struct sfm_writer *, const struct dictionary *): Assertion `ftello (w->file) == start + size' failed. Aborted (core dumped) ``` source ``` In file: /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/src/data/sys-file-writer.c write_int (w, 8); 1087 write_bytes (w, value_str (value, width), 8); 1088 } 1089 } ► 1090 assert (ftello (w->file) == start + size); 1091 } 1092 ```