Bug 1764299 (CVE-2019-20433) - CVE-2019-20433 aspell: UCS-2 and UCS-4 null-terminated string handling OOB read
Summary: CVE-2019-20433 aspell: UCS-2 and UCS-4 null-terminated string handling OOB read
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-20433
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1795259 (view as bug list)
Depends On: 1764300 1795218 1795219
Blocks: 1764301 1795260
TreeView+ depends on / blocked
 
Reported: 2019-10-22 16:54 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-25 09:55 UTC (History)
3 users (show)

Fixed In Version: aspell 0.60.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 09:55:46 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-22 16:54:43 UTC 
Potentially unbounded buffer over-read as Aspell looks for the non-existent multi-byte null terminator if the encoding is set to "ucs-2" or "ucs-4" outside of the application, from configuration file or environment variable, and a normal null-terminated string (for example UTF-8) is used.

References:
https://lists.gnu.org/archive/html/aspell-announce/2019-08/msg00000.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935128
Comment 1 Guilherme de Almeida Suckevicz 2019-10-22 16:54:54 UTC 
Created aspell tracking bugs for this issue:

Affects: fedora-all [bug 1764300]
Comment 2 Stefan Cornelius 2019-12-10 15:16:33 UTC 
Patch:
https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b

NOTE: This patch will break existing applications under certain conditions.

Upstream recommends this additional patch to increase the version:
https://github.com/GNUAspell/aspell/commit/cefd447e5528b08bb0cd6656bc52b4255692cefc
Comment 6 Stefan Cornelius 2020-02-06 12:39:52 UTC 
*** Bug 1795259 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.