unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Fri, 26 Aug 2016 18:14:26 -0400	[thread overview]
Message-ID: <20160826221426.GA29432@jasmine> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 676 bytes --]

There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:

http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354

Flex has moved to GitHub [0], and so the source code is served over
HTTPS.  Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.

In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.

[0]
https://sourceforge.net/p/flex/mailman/message/34913710/

[-- Attachment #1.2: 0001-gnu-flex-Fix-CVE-2016-6354.patch --]
[-- Type: text/plain, Size: 3247 bytes --]

From beca37a4edd7e4c4becca23d25c40a9ff43b08c7 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 26 Aug 2016 18:11:58 -0400
Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.

* gnu/packages/flex.scm (flex)[replacement]: New field.
(flex/fixed): New variable.
* gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/flex.scm                         |  8 +++++++
 gnu/packages/patches/flex-CVE-2016-6354.patch | 30 +++++++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 gnu/packages/patches/flex-CVE-2016-6354.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b8c5378..0ba281e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -505,6 +505,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/findutils-test-xargs.patch		\
   %D%/packages/patches/flashrom-use-libftdi1.patch		\
+  %D%/packages/patches/flex-CVE-2016-6354.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
   %D%/packages/patches/fltk-shared-lib-defines.patch		\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff19..b64af0d 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -31,6 +31,7 @@
 (define-public flex
   (package
     (name "flex")
+    (replacement flex/fixed)
     (version "2.6.0")
     (source (origin
              (method url-fetch)
@@ -78,3 +79,10 @@ regular expressions for each rule.  Whenever it finds a match, it
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
                         "See COPYING in the distribution."))))
+
+(define flex/fixed
+  (package
+    (inherit flex)
+    (source (origin
+              (inherit (package-source flex))
+              (patches (search-patches "flex-CVE-2016-6354.patch"))))))
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000..1f3cb02
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
-- 
2.9.3


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

             reply	other threads:[~2016-08-26 22:14 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-26 22:14 Leo Famulari [this message]
2016-08-26 22:49 ` Flex security update: RCE in generated code (CVE-2016-6354) Leo Famulari
2016-08-27 21:48   ` Ludovic Courtès
2016-08-28  0:54     ` Leo Famulari
2016-08-28  9:41       ` Efraim Flashner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160826221426.GA29432@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).