Until now, the code only checked the first character of the name, which
made it possible to assert-fail when the mrset was actually added.
CVE-2017-12959.
See also https://bugzilla.redhat.com/show_bug.cgi?id=
1482432.
See also http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12959.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12959.
Found by team OWL337, using the collAFL fuzzer.
Changes since 1.0.0:
- * Bug fixes, including a fix for CVE-2017-12958.
+ * Bug fixes, including fixes for CVE-2017-12958 and CVE-2017-12959.
Changes from 0.11.0 to 1.0.0:
size_t i;
name = recode_string ("UTF-8", r->encoding, s->name, -1);
- if (name[0] != '$')
+ if (!mrset_is_valid_name (name, dict_get_encoding (dict), false))
{
- sys_warn (r, -1, _("Multiple response set name `%s' does not begin "
- "with `$'."),
+ sys_warn (r, -1, _("Invalid multiple response set name `%s'."),
name);
free (name);
continue;
MRSETS /DISPLAY NAME=ALL.
])
AT_CHECK([pspp -O format=csv sys-file.sps], [0], [dnl
-warning: `sys-file.sav': Multiple response set name `b' does not begin with `$'.
+warning: `sys-file.sav': Invalid multiple response set name `b'.
-warning: `sys-file.sav': Multiple response set name `e' does not begin with `$'.
+warning: `sys-file.sav': Invalid multiple response set name `e'.
Table: Multiple Response Sets
Name,Variables,Details
projects / pspp / commitdiff