CVE-2025-5899

NameCVE-2025-5899
DescriptionA vulnerability classified as critical was found in GNU PSPP 82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb. Affected by this vulnerability is the function parse_variables_option of the file utilities/pspp-convert.c. The manipulation leads to free of memory not on the heap. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1107819

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pspp (PTS)bullseye1.4.1-1vulnerable
bookworm1.6.2-2vulnerable
forky, sid, trixie2.0.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
psppsource(unstable)(unfixed)1107819

Notes

[trixie] - pspp <no-dsa> (Minor issue)
[bookworm] - pspp <no-dsa> (Minor issue)
[bullseye] - pspp <postponed> (Minor issue)
https://savannah.gnu.org/bugs/index.php?67072
Search for package or bug name: Reporting problems