CVE-2025-5001: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-5001) was discovered in GNU PSPP version 82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb, specifically affecting the calloc function in the pspp-convert.c file. The vulnerability was disclosed on May 20, 2025, and involves an integer overflow condition that occurs when manipulating the -l argument used for password brute-forcing encrypted syntax files (Wiz, GNU Bug).

The vulnerability is classified as an integer overflow (CWE-190) and numeric error (CWE-189). When processing the -l argument in pspp-convert.c, the application fails to properly validate input values, leading to an unreasonably large memory allocation attempt through the calloc function. The vulnerability has received a CVSS v3.1 score of 3.3 (LOW) with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, and a CVSS v4.0 score of 4.8 (MEDIUM) with the vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (VulDB).

The exploitation of this vulnerability can lead to a system crash due to failed memory allocation attempts. The impact primarily affects system availability, with no direct impact on confidentiality or integrity (VulDB).

Currently, there are no known official fixes or mitigations available for this vulnerability. The recommendation is to consider replacing the affected software with an alternative product until a patch is released (VulDB).