From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Fri, 26 Aug 2016 18:14:26 -0400
Message-ID: <20160826221426.GA29432@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="s2ZSL+KKDSLx8OML"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37188)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bdPOe-0008T7-Pl
	for guix-devel@gnu.org; Fri, 26 Aug 2016 18:14:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bdPOZ-0003yg-Ai
	for guix-devel@gnu.org; Fri, 26 Aug 2016 18:14:43 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:34036)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bdPOX-0003vL-SX
	for guix-devel@gnu.org; Fri, 26 Aug 2016 18:14:39 -0400
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 90D8AF29D2
	for <guix-devel@gnu.org>; Fri, 26 Aug 2016 18:14:28 -0400 (EDT)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--s2ZSL+KKDSLx8OML
Content-Type: multipart/mixed; boundary="X1bOJ3K7DJ5YkBrT"
Content-Disposition: inline


--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:

http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354

Flex has moved to GitHub [0], and so the source code is served over
HTTPS.  Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.

In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.

[0]
https://sourceforge.net/p/flex/mailman/message/34913710/

--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-gnu-flex-Fix-CVE-2016-6354.patch"
Content-Transfer-Encoding: quoted-printable

=46rom beca37a4edd7e4c4becca23d25c40a9ff43b08c7 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@famulari.name>
Date: Fri, 26 Aug 2016 18:11:58 -0400
Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.

* gnu/packages/flex.scm (flex)[replacement]: New field.
(flex/fixed): New variable.
* gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/flex.scm                         |  8 +++++++
 gnu/packages/patches/flex-CVE-2016-6354.patch | 30 +++++++++++++++++++++++=
++++
 3 files changed, 39 insertions(+)
 create mode 100644 gnu/packages/patches/flex-CVE-2016-6354.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b8c5378..0ba281e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -505,6 +505,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/findutils-test-xargs.patch		\
   %D%/packages/patches/flashrom-use-libftdi1.patch		\
+  %D%/packages/patches/flex-CVE-2016-6354.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
   %D%/packages/patches/fltk-shared-lib-defines.patch		\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff19..b64af0d 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -31,6 +31,7 @@
 (define-public flex
   (package
     (name "flex")
+    (replacement flex/fixed)
     (version "2.6.0")
     (source (origin
              (method url-fetch)
@@ -78,3 +79,10 @@ regular expressions for each rule.  Whenever it finds a =
match, it
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
                         "See COPYING in the distribution."))))
+
+(define flex/fixed
+  (package
+    (inherit flex)
+    (source (origin
+              (inherit (package-source flex))
+              (patches (search-patches "flex-CVE-2016-6354.patch"))))))
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/p=
atches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000..1f3cb02
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe700=
6466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+=20
+ 	else
+ 		{
+-			yy_size_t num_to_read =3D
++			int num_to_read =3D
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+=20
+ 		while ( num_to_read <=3D 0 )
--=20
2.9.3


--X1bOJ3K7DJ5YkBrT--

--s2ZSL+KKDSLx8OML
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXwL8+AAoJECZG+jC6yn8IXYAP/3UmBTsF6Tdr6Xow8+96AzjN
dwQvX0S3/QkN/i0Tqd9ddigjab93RzOUSX72jpw3PMBnvrgiaPV+xionG8H4FrCI
m2KAj0Dd0HlRdpp9BleJ5zRxa5lLEszd+2s4TbxCLcPMcZvC0H2niquCjRlzrybY
ol8JKhyN5D6PjZvfrGzGLDNG4/Yb+mqKEyMzjRdFgmjc4P1KWRXTzgAlXUEaDSUx
xeJWCf3qJdKNPyoPm+O63TONBTCSXZWZLvDXYYZSIPCc43nq7Uj9+MmgRNY9yeIz
xw1Vt6zrdZF/Kx/lvvZtoWS6cnGnyDIv9QSDs0UcU16MW4Vy3IhKXhfmXn0s/dCS
xQgOi1u9vmT8xXPxND2fAqEx1LEdPxHF0/+e5fdTHdp8FDQDMXH7nkD2jMqFyt3U
pMIbMboiL0dTtRaa6Fr6xg8XLHCx4LJQdjCvLfowvkVU2WQwqOndpUCZGMUcGAQw
Elej5EbME76sGeq7PcS8ZHXkfxPoO1daWffLdGJh/nCUNC5/87e9uh2lHP412QrZ
1W3XAYlRtuJAm9nT/Rk/1H8lj6q06Jjsc0k4NwuAPZ9lvo6rcwm5FQQpwI20iO6B
MzWFGu34XTpDzu9YnC4Whkyjx1EDX3tFypoeNC2alyEdGSaELaDw1W2wNv2waZF5
WPWsqNHD8zqNq4dLniY3
=Hm1i
-----END PGP SIGNATURE-----

--s2ZSL+KKDSLx8OML--