Bug#927798: unblock: pspp/1.2.0-3

[Andreas Tille <tille@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package pspp


  [ Andreas Tille ]
  * Team upload.
  * Take over package into Debian Science team maintenance

  [ Ben Pfaff ]
  * Issue error message for too-large extension records. (CVE-2018-20230)
    Closes: #916902


unblock pspp/1.2.0-3

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru pspp-1.2.0/debian/changelog pspp-1.2.0/debian/changelog
--- pspp-1.2.0/debian/changelog	2018-11-26 07:50:21.000000000 +0100
+++ pspp-1.2.0/debian/changelog	2019-04-23 13:59:03.000000000 +0200
@@ -1,3 +1,15 @@
+pspp (1.2.0-3) unstable; urgency=medium
+
+  [ Andreas Tille ]
+  * Team upload.
+  * Take over package into Debian Science team maintenance
+
+  [ Ben Pfaff ]
+  * Issue error message for too-large extension records. (CVE-2018-20230)
+    Closes: #916902
+
+ -- Andreas Tille <tille@debian.org>  Tue, 23 Apr 2019 13:59:03 +0200
+
 pspp (1.2.0-2) unstable; urgency=low
 
   * Fixed regression error in segmentation
diff -Nru pspp-1.2.0/debian/control pspp-1.2.0/debian/control
--- pspp-1.2.0/debian/control	2018-11-26 07:50:21.000000000 +0100
+++ pspp-1.2.0/debian/control	2019-04-23 13:59:03.000000000 +0200
@@ -1,8 +1,9 @@
 Source: pspp
 Section: math
 Priority: optional
-Maintainer: Friedrich Beckmann <friedrich.beckmann@gmx.de>
-Uploaders: Ben Pfaff <blp@cs.stanford.edu>
+Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
+Uploaders: Friedrich Beckmann <friedrich.beckmann@gmx.de>,
+           Ben Pfaff <blp@cs.stanford.edu>
 # postgresql is disabled on hurd-i386 in order to remove
 # postgres support which will not build on hurd-i386
 # see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820743
@@ -29,6 +30,8 @@
                libpq-dev,
 	       emacsen-common (>= 2.0.8)
 Standards-Version: 4.2.1
+Vcs-Browser: https://salsa.debian.org/science-team/pspp
+Vcs-Git: https://salsa.debian.org/science-team/pspp.git
 Homepage: http://savannah.gnu.org/projects/pspp
 
 Package: pspp
diff -Nru pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch
--- pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch	1970-01-01 01:00:00.000000000 +0100
+++ pspp-1.2.0/debian/patches/0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch	2019-04-23 13:59:03.000000000 +0200
@@ -0,0 +1,126 @@
+From abd1f816ca3b4f382bddf4564ad092aa934f0ccc Mon Sep 17 00:00:00 2001
+Author: Ben Pfaff <blp@cs.stanford.edu>
+Date: Tue, 1 Jan 2019 08:36:05 -0800
+Bug-Debian: https://bugs.debian.org/916902
+Subject: [PATCH 02/67] pspp-dump-sav: Issue error message for too-large
+ extension records.
+
+CVE-2018-20230.
+---
+ NEWS                      |  2 ++
+ utilities/pspp-dump-sav.c | 30 ++++++++++++++++++------------
+ 2 files changed, 20 insertions(+), 12 deletions(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,8 @@ See the end for copying conditions.
+ 
+ Please send PSPP bug reports to bug-gnu-pspp@gnu.org.
+ 
++ * Bug fix for CVE-2018-20230.
++
+ Changes from 1.0.1 to 1.2.0:
+ 
+  * New experimental command SAVE DATA COLLECTION to save MDD files.
+--- a/utilities/pspp-dump-sav.c
++++ b/utilities/pspp-dump-sav.c
+@@ -37,6 +37,7 @@
+ #include "gl/progname.h"
+ #include "gl/version-etc.h"
+ #include "gl/xalloc.h"
++#include "gl/xsize.h"
+ 
+ #define ID_MAX_LEN 64
+ 
+@@ -99,7 +100,7 @@ static void read_simple_compressed_data
+ static void read_zlib_compressed_data (struct sfm_reader *);
+ 
+ static struct text_record *open_text_record (
+-  struct sfm_reader *, size_t size);
++  struct sfm_reader *, size_t size, size_t count);
+ static void close_text_record (struct text_record *);
+ static bool read_variable_to_value_pair (struct text_record *,
+                                          char **key, char **value);
+@@ -735,7 +736,7 @@ read_extra_product_info (struct sfm_read
+   const char *s;
+ 
+   printf ("%08llx: extra product info\n", (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   s = text_get_all (text);
+   print_string (s, strlen (s));
+   close_text_record (text);
+@@ -749,7 +750,7 @@ read_mrsets (struct sfm_reader *r, size_
+ 
+   printf ("%08llx: multiple response sets\n",
+           (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   for (;;)
+     {
+       const char *name;
+@@ -909,7 +910,7 @@ read_long_var_name_map (struct sfm_reade
+ 
+   printf ("%08llx: long variable names (short => long)\n",
+           (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   while (read_variable_to_value_pair (text, &var, &long_name))
+     printf ("\t%s => %s\n", var, long_name);
+   close_text_record (text);
+@@ -926,7 +927,7 @@ read_long_string_map (struct sfm_reader
+ 
+   printf ("%08llx: very long strings (variable => length)\n",
+           (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   while (read_variable_to_value_pair (text, &var, &length_s))
+     printf ("\t%s => %d\n", var, atoi (length_s));
+   close_text_record (text);
+@@ -1004,7 +1005,7 @@ read_datafile_attributes (struct sfm_rea
+   struct text_record *text;
+ 
+   printf ("%08llx: datafile attributes\n", (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   read_attributes (r, text, "datafile");
+   close_text_record (text);
+ }
+@@ -1196,7 +1197,7 @@ read_variable_attributes (struct sfm_rea
+   struct text_record *text;
+ 
+   printf ("%08llx: variable attributes\n", (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   for (;;)
+     {
+       const char *variable = text_tokenize (text, ':');
+@@ -1389,18 +1390,23 @@ struct text_record
+     size_t pos;                 /* Current position in buffer. */
+   };
+ 
+-/* Reads SIZE bytes into a text record for R,
++/* Reads SIZE * COUNT bytes into a text record for R,
+    and returns the new text record. */
+ static struct text_record *
+-open_text_record (struct sfm_reader *r, size_t size)
++open_text_record (struct sfm_reader *r, size_t size, size_t count)
+ {
+   struct text_record *text = xmalloc (sizeof *text);
+-  char *buffer = xmalloc (size + 1);
+-  read_bytes (r, buffer, size);
++
++  if (size_overflow_p (xsum (1, xtimes (size, count))))
++    sys_error (r, "Extension record too large.");
++
++  size_t n_bytes = size * count;
++  char *buffer = xmalloc (n_bytes + 1);
++  read_bytes (r, buffer, n_bytes);
+   buffer[size] = '\0';
+   text->reader = r;
+   text->buffer = buffer;
+-  text->size = size;
++  text->size = n_bytes;
+   text->pos = 0;
+   return text;
+ }
diff -Nru pspp-1.2.0/debian/patches/series pspp-1.2.0/debian/patches/series
--- pspp-1.2.0/debian/patches/series	2018-11-26 07:50:21.000000000 +0100
+++ pspp-1.2.0/debian/patches/series	2019-04-23 13:59:03.000000000 +0200
@@ -1,3 +1,4 @@
 move_appdata_directory.diff
 emacs_elpa.diff
 regression-segment-fix.patch
+0002-pspp-dump-sav-Issue-error-message-for-too-large-exte.patch