[OE-core] [PATCH] [zeus] aspell: CVE-2019-20433

Mittal, Anuj anuj.mittal at intel.com
Thu Mar 12 13:04:53 UTC 2020



> -----Original Message-----
> From: Mikko.Rapeli at bmw.de <Mikko.Rapeli at bmw.de>
> Sent: Thursday, March 12, 2020 08:34 PM
> To: Mittal, Anuj <anuj.mittal at intel.com>
> Cc: openembedded-core at lists.openembedded.org; stefan.ghinea at windriver.com
> Subject: Re: [OE-core] [PATCH] [zeus] aspell: CVE-2019-20433
> 
> On Thu, Mar 12, 2020 at 12:25:21PM +0000, Mittal, Anuj wrote:
> > It looks like this is changing the API. I wonder if this would need
> > any other change or break something elsewhere in OE-core, meta-oe?
> >
> > http://aspell.net/buffer-overread-ucs.txt
> 
> Debian classified issues as minor and fixed only by updating to 0.60.8:

They were applied to 0.60.7:

https://salsa.debian.org/debian/aspell/-/commit/ab3214b1e758646c5a995d277ac80f6d04566149

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935128

I think that "minor" categorization is for versions where it wasn't fixed. The NVD severity at the top says medium and it has been assigned a score of 9.1.

> 
> https://security-tracker.debian.org/tracker/CVE-2019-20433
> 
> https://metadata.ftp-master.debian.org/changelogs//main/a/aspell/aspell_0.60.8-
> 1_changelog
> 
> Maybe whitelist for stable branches and update to new version on master?
> 

Whitelisting doesn't sound the right thing to do here especially since this is a valid problem.

Thanks,

Anuj


More information about the Openembedded-core mailing list