The attribution of the problem to the hash function is probably wrong, since that function is purely combinatorial logic, but the report as a whole is right because the attachment in the bug report at https://bugzilla.redhat.com/show_bug.cgi?id=1467004 does cause pspp-convert to assert-fail.
I'm looking into it. On Mon, Jul 03, 2017 at 08:50:56PM +0200, John Darrington wrote: > I suspect this report is mistaken. But this bit is Ben's code, so I'll let > him comment on > that. > > J' > > On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote: > Dear owl337 team, > > thanks for looking at pspp and finding the security problems > > https://security-tracker.debian.org/tracker/CVE-2017-10791 > > and > > https://security-tracker.debian.org/tracker/CVE-2017-10792 > > in pspp! Your reports are quite detailed. Could you describe how you > found the problems, i.e. do > you have some information about collAFL? > > Regards > > Friedrich > > > > _______________________________________________ > pspp-dev mailing list > pspp-...@gnu.org > https://lists.gnu.org/mailman/listinfo/pspp-dev > > -- > Avoid eavesdropping. Send strong encrypted email. > PGP Public key ID: 1024D/2DE827B3 > fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 > See http://sks-keyservers.net or any PGP keyserver for public key. >
