[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
|
From: |
Ben Pfaff |
|
Subject: |
Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792 |
|
Date: |
Tue, 4 Jul 2017 09:27:14 -0400 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
The attribution of the problem to the hash function is probably wrong,
since that function is purely combinatorial logic, but the report as a
whole is right because the attachment in the bug report at
https://bugzilla.redhat.com/show_bug.cgi?id=1467004 does cause
pspp-convert to assert-fail.
I'm looking into it.
On Mon, Jul 03, 2017 at 08:50:56PM +0200, John Darrington wrote:
> I suspect this report is mistaken. But this bit is Ben's code, so I'll let
> him comment on
> that.
>
> J'
>
> On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
> Dear owl337 team,
>
> thanks for looking at pspp and finding the security problems
>
> https://security-tracker.debian.org/tracker/CVE-2017-10791
>
> and
>
> https://security-tracker.debian.org/tracker/CVE-2017-10792
>
> in pspp! Your reports are quite detailed. Could you describe how you
> found the problems, i.e. do
> you have some information about collAFL?
>
> Regards
>
> Friedrich
>
>
>
> _______________________________________________
> pspp-dev mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/pspp-dev
>
> --
> Avoid eavesdropping. Send strong encrypted email.
> PGP Public key ID: 1024D/2DE827B3
> fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
> See http://sks-keyservers.net or any PGP keyserver for public key.
>