From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Fri, 26 Aug 2016 18:14:26 -0400 [thread overview]
Message-ID: <20160826221426.GA29432@jasmine> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 676 bytes --]
There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:
http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354
Flex has moved to GitHub [0], and so the source code is served over
HTTPS. Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.
In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.
[0]
https://sourceforge.net/p/flex/mailman/message/34913710/
[-- Attachment #1.2: 0001-gnu-flex-Fix-CVE-2016-6354.patch --]
[-- Type: text/plain, Size: 3247 bytes --]
From beca37a4edd7e4c4becca23d25c40a9ff43b08c7 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 26 Aug 2016 18:11:58 -0400
Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
* gnu/packages/flex.scm (flex)[replacement]: New field.
(flex/fixed): New variable.
* gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/flex.scm | 8 +++++++
gnu/packages/patches/flex-CVE-2016-6354.patch | 30 +++++++++++++++++++++++++++
3 files changed, 39 insertions(+)
create mode 100644 gnu/packages/patches/flex-CVE-2016-6354.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b8c5378..0ba281e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -505,6 +505,7 @@ dist_patch_DATA = \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/findutils-test-xargs.patch \
%D%/packages/patches/flashrom-use-libftdi1.patch \
+ %D%/packages/patches/flex-CVE-2016-6354.patch \
%D%/packages/patches/flint-ldconfig.patch \
%D%/packages/patches/fltk-shared-lib-defines.patch \
%D%/packages/patches/fltk-xfont-on-demand.patch \
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff19..b64af0d 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -31,6 +31,7 @@
(define-public flex
(package
(name "flex")
+ (replacement flex/fixed)
(version "2.6.0")
(source (origin
(method url-fetch)
@@ -78,3 +79,10 @@ regular expressions for each rule. Whenever it finds a match, it
executes the corresponding C code.")
(license (non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
+
+(define flex/fixed
+ (package
+ (inherit flex)
+ (source (origin
+ (inherit (package-source flex))
+ (patches (search-patches "flex-CVE-2016-6354.patch"))))))
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000..1f3cb02
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+
+ else
+ {
+- yy_size_t num_to_read =
++ int num_to_read =
+ YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+ while ( num_to_read <= 0 )
--
2.9.3
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next reply other threads:[~2016-08-26 22:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 22:14 Leo Famulari [this message]
2016-08-26 22:49 ` Flex security update: RCE in generated code (CVE-2016-6354) Leo Famulari
2016-08-27 21:48 ` Ludovic Courtès
2016-08-28 0:54 ` Leo Famulari
2016-08-28 9:41 ` Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160826221426.GA29432@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).