[DRE-maint] Bug#935128: aspell: potentially unbounded buffer over-read in GNU Aspell 0.60.*

[Agustin Martin]

On Mon, Aug 19, 2019 at 04:33:40PM -0400, Kevin Atkinson wrote:
> On Mon, 19 Aug 2019, Salvatore Bonaccorso wrote:
>
> > See https://lists.gnu.org/archive/html/aspell-announce/2019-08/msg00000.html
>
> > Within Debian the "pumpa" will need an update. Others might be
> > required as well. Kevin Atkinson might be up for help if needed.
> Also see http://aspell.net/buffer-overread-ucs.txt for a slightly improved
> version of the announcement that I edited for clarity.

Hi all,

This message is sent to all packages that depend in some way on
libaspell15 (pdo addresses bcc'ed)

A potentially unbounded buffer over-read has been found in in GNU
Aspell 0.60.*. Package aspell 0.60.7-1 has been uploaded to Debian
experimental, including upstream patch to deal with this problem.

Unfortunately this fix may break applications that use null-terminated
UCS-2 or UCS-4 strings with the C API.  These applications will need
to be fixed to make use of the new more secure API in order to
continue to have a functional spell checker.

Most applications use UTF-8 strings and thus do not need to be fixed.

Please read http://aspell.net/buffer-overread-ucs.txt (and the
original announcement in
https://lists.gnu.org/archive/html/aspell-announce/2019-08/msg00000.html)
for details and check if your package is affected. That file and new
aspell manual, contain information about what to do if that happens.

I would like to leave aspell package in experimental for one week to
allow possibly affected packages to be checked and fixed if
appropriate. Since there is no longer a dict-common-dev mailing list,
please use this bug report to notify if your package is affected and
if you need more time before new aspell with that fix is uploaded to
sid. If you need additional help, please contact the aspell-devel
mailing list (https://lists.gnu.org/mailman/listinfo/aspell-devel).

Regards,