Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

To: Ben Pfaff <blp@cs.stanford.edu>
Cc: John Darrington <john@darrington.wattle.id.au>, 866890@bugs.debian.org, ganshuitao@gmail.com, chaoz@tsinghua.edu.cn, pspp-dev@gnu.org, jmm@debian.org, debian-lts@lists.debian.org
Subject: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
From: Friedrich Beckmann <friedrich.beckmann@gmx.de>
Date: Tue, 4 Jul 2017 17:52:05 +0200
Message-id: <[🔎] 9297F594-53DF-4E42-8DAE-E673424E7004@gmx.de>
In-reply-to: <[🔎] 20170704132714.GA15956@sigabrt.benpfaff.org>
References: <[🔎] E9A04352-48E6-4ED4-9B0A-3D6355516892@gmx.de> <[🔎] 20170703185055.GA20435@jocasta.intra> <[🔎] 20170704132714.GA15956@sigabrt.benpfaff.org>

Hi Ben,

my understanding is that they bring up two different problems.

For

https://bugzilla.redhat.com/show_bug.cgi?id=1467004 (Hash Function)

the argument is that shift operations and overflows are undefined or
implementation dependent for signed integers as used in the hash function.

https://www.securecoding.cert.org/confluence/display/c/INT13-C.+Use+bitwise+operators+only+on+unsigned+operands

Shifting a negative number is „bad“ by that definition and that is what they checked.

But when looking at the code, isn’t there a problem when a pointer is cast to integer
on 64 Bit platforms because the pointer is 64 Bit and the integer is 32 Bit in hash_pointer? Wouldn’t we
want to have a hash based on the 64 Bit as for hash_double?

For https://bugzilla.redhat.com/show_bug.cgi?id=1467005 (crash on csv conversion)

they managed to generate a file which results in a crash when analyzed. Although pspp
stills gives an error message that something is wrong in the file… 

Friedrich


> Am 04.07.2017 um 15:27 schrieb Ben Pfaff <blp@cs.stanford.edu>:
> 
> The attribution of the problem to the hash function is probably wrong,
> since that function is purely combinatorial logic, but the report as a
> whole is right because the attachment in the bug report at
> https://bugzilla.redhat.com/show_bug.cgi?id=1467004 does cause
> pspp-convert to assert-fail.
> 
> I'm looking into it.
> 
> On Mon, Jul 03, 2017 at 08:50:56PM +0200, John Darrington wrote:
>> I suspect this report is mistaken.  But this bit is Ben's code, so I'll let him comment on
>> that.
>> 
>> J'
>> 
>> On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
>>     Dear owl337 team,
>> 
>>     thanks for looking at pspp and finding the security problems
>> 
>>     https://security-tracker.debian.org/tracker/CVE-2017-10791
>> 
>>     and
>> 
>>     https://security-tracker.debian.org/tracker/CVE-2017-10792
>> 
>>     in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do
>>     you have some information about collAFL?
>> 
>>     Regards
>> 
>>     Friedrich
>> 
>> 
>> 
>>     _______________________________________________
>>     pspp-dev mailing list
>>     pspp-dev@gnu.org
>>     https://lists.gnu.org/mailman/listinfo/pspp-dev
>> 
>> -- 
>> Avoid eavesdropping.  Send strong encrypted email.
>> PGP Public key ID: 1024D/2DE827B3 
>> fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
>> See http://sks-keyservers.net or any PGP keyserver for public key.
>> 
> 
>

Reply to:

References:
- pspp - cve-2017-10791 - cve-2017-10792
  - From: Friedrich Beckmann <friedrich.beckmann@gmx.de>
- Re: pspp - cve-2017-10791 - cve-2017-10792
  - From: John Darrington <john@darrington.wattle.id.au>
- Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
  - From: Ben Pfaff <blp@cs.stanford.edu>

Prev by Date: Re: unattended upgrades don't work in wheezy
Next by Date: Re: pspp - cve-2017-10791 - cve-2017-10792
Previous by thread: Re: Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
Next by thread: Re: pspp - cve-2017-10791 - cve-2017-10792
Index(es):
- Date
- Thread