Bug 1683499 - There is a reachable assertion abort in the function write_long_string_missing_values() in sys-file-writer.c of the libpspp library in GNU PSPP 1.2.0 that will lead to denial of service.
Summary: There is a reachable assertion abort in the function write_long_string_missin...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pspp
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-27 02:34 UTC by seri0us
Modified: 2019-04-06 19:43 UTC (History)
3 users (show)

Fixed In Version: pspp-1.2.0-2.fc30 pspp-1.2.0-2.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-03 00:39:19 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
poc (15.86 KB, application/x-spss-sav)
2019-02-27 02:34 UTC, seri0us
no flags Details

Description seri0us 2019-02-27 02:34:36 UTC
Created attachment 1539022 [details]
poc

Description of problem:
There is a reachable assertion abort in the function write_long_string_missing_values() in sys-file-writer.c of the libpspp library in GNU PSPP  1.2.0 that will lead to remote denial of service.

Version-Release number of selected component (if applicable):
1.2.0

How reproducible:
pspp-convert poc -O sav /dev/null


Actual results:
assertion abort


Additional info:
output
```
pspp-convert: src/data/sys-file-writer.c:1090: void write_long_string_missing_values(struct sfm_writer *, const struct dictionary *): Assertion `ftello (w->file) == start + size' failed.
Aborted (core dumped)
```
source
```
In file: /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/src/data/sys-file-writer.c

           write_int (w, 8);
   1087           write_bytes (w, value_str (value, width), 8);
   1088         }
   1089     }
 ► 1090   assert (ftello (w->file) == start + size);
   1091 }
   1092 

```

Comment 1 Ben Pfaff 2019-02-28 04:23:48 UTC
I fixed this on PSPP master with commit 0b842a843537 ("sys-file-writer: Remove assertions based on file position.").

seri0us, are you the person who discovered the bug?  If so, I hope you realize how antisocial it is to report security bugs only to downstream distributors like Red Hat and Debian and to aggregators like MITRE.  The polite thing to do is to report security bugs to software authors and maintainers some days or weeks before anyone else, to give them a chance to fix the problems before they affect the public.

Comment 2 seri0us 2019-02-28 06:37:07 UTC
Thanks for your reply!

Sorry about my mistake. I will correct my action and report this issue to my team.

Comment 3 Ben Pfaff 2019-02-28 18:39:27 UTC
@seri0us Thank you!

Comment 4 Fedora Update System 2019-03-28 11:43:35 UTC
pspp-1.2.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de

Comment 5 Fedora Update System 2019-03-28 11:43:48 UTC
pspp-1.2.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f

Comment 6 Fedora Update System 2019-03-29 00:12:54 UTC
pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de

Comment 7 Fedora Update System 2019-03-29 04:15:54 UTC
pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f

Comment 8 Fedora Update System 2019-04-03 00:39:19 UTC
pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-04-06 19:43:16 UTC
pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.