On Fri, Aug 30, 2019 at 05:57:30AM -0400, Kevin Atkinson wrote: > On Fri, 30 Aug 2019, Agustin Martin wrote: > > > On Thu, Aug 29, 2019 at 12:20:28AM +0200, Agustin Martin wrote: > > > On Mon, Aug 19, 2019 at 04:33:40PM -0400, Kevin Atkinson wrote: > > > > On Mon, 19 Aug 2019, Salvatore Bonaccorso wrote: > > > > > > > > > See > > > > > https://lists.gnu.org/archive/html/aspell-announce/2019-08/msg00000.html > > > > > > > > > Within Debian the "pumpa" will need an update. Others might be > > > > > required as well. Kevin Atkinson might be up for help if needed. > > > > Also see http://aspell.net/buffer-overread-ucs.txt for a slightly > > > > improved > > > > version of the announcement that I edited for clarity. > > > > > > Hi all, > > > > > > This message is sent to all packages that depend in some way on > > > libaspell15 (pdo addresses bcc'ed) > > > > > > A potentially unbounded buffer over-read has been found in in GNU > > > Aspell 0.60.*. Package aspell 0.60.7-1 has been uploaded to Debian > > > experimental, including upstream patch to deal with this problem. > > > > > > Unfortunately this fix may break applications that use null-terminated > > > UCS-2 or UCS-4 strings with the C API. These applications will need > > > to be fixed to make use of the new more secure API in order to > > > continue to have a functional spell checker. > > > > This is the list of non aspell packages depending on libaspell15 which > > are possibly affected (maintainers bcc'ed). > > I did a preliminary analysis of most of these packages and here is what I > found: > > eiskaltdcpp-qt -- no -- utf-8 > enchant -- no -- utf-8 > gnustep-gui-runtime -- no -- utf-8 > inkscape -- no -- utf-8 > kdelibs5-plugins libenchant1c2a -- no -- utf-8 > libenchant2 -- unlikely -- [1] > libenchant-voikko -- unlikely -- [2] > librcc0 > libtext-aspell-perl > mcabber -- no -- user can set encoding, but always passes in length > php7.3-pspell > pumpa -- YES > raspell > sonnet-plugins > tea -- no -- utf-8 > weechat-plugins -- unlikely -- [3] > xmlcopyeditor > yagf
Thanks a lot for running this analysis. Seems that in the analyzed packages the only clearly affected is pumpa. I will monitor it in case a bug report is filed. I never used pumpa and it has a low popcon, so we may never get a proper bug report about this. Regards, -- Agustin
