* Flex security update: RCE in generated code (CVE-2016-6354)
@ 2016-08-26 22:14 Leo Famulari
2016-08-26 22:49 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-26 22:14 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 676 bytes --]
There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:
http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354
Flex has moved to GitHub [0], and so the source code is served over
HTTPS. Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.
In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.
[0]
https://sourceforge.net/p/flex/mailman/message/34913710/
[-- Attachment #1.2: 0001-gnu-flex-Fix-CVE-2016-6354.patch --]
[-- Type: text/plain, Size: 3247 bytes --]
From beca37a4edd7e4c4becca23d25c40a9ff43b08c7 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 26 Aug 2016 18:11:58 -0400
Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
* gnu/packages/flex.scm (flex)[replacement]: New field.
(flex/fixed): New variable.
* gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/flex.scm | 8 +++++++
gnu/packages/patches/flex-CVE-2016-6354.patch | 30 +++++++++++++++++++++++++++
3 files changed, 39 insertions(+)
create mode 100644 gnu/packages/patches/flex-CVE-2016-6354.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b8c5378..0ba281e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -505,6 +505,7 @@ dist_patch_DATA = \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/findutils-test-xargs.patch \
%D%/packages/patches/flashrom-use-libftdi1.patch \
+ %D%/packages/patches/flex-CVE-2016-6354.patch \
%D%/packages/patches/flint-ldconfig.patch \
%D%/packages/patches/fltk-shared-lib-defines.patch \
%D%/packages/patches/fltk-xfont-on-demand.patch \
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff19..b64af0d 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -31,6 +31,7 @@
(define-public flex
(package
(name "flex")
+ (replacement flex/fixed)
(version "2.6.0")
(source (origin
(method url-fetch)
@@ -78,3 +79,10 @@ regular expressions for each rule. Whenever it finds a match, it
executes the corresponding C code.")
(license (non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
+
+(define flex/fixed
+ (package
+ (inherit flex)
+ (source (origin
+ (inherit (package-source flex))
+ (patches (search-patches "flex-CVE-2016-6354.patch"))))))
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000..1f3cb02
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+
+ else
+ {
+- yy_size_t num_to_read =
++ int num_to_read =
+ YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+
+ while ( num_to_read <= 0 )
--
2.9.3
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Flex security update: RCE in generated code (CVE-2016-6354)
2016-08-26 22:14 Flex security update: RCE in generated code (CVE-2016-6354) Leo Famulari
@ 2016-08-26 22:49 ` Leo Famulari
2016-08-27 21:48 ` Ludovic Courtès
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-26 22:49 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 499 bytes --]
On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
>
> * gnu/packages/flex.scm (flex)[replacement]: New field.
> (flex/fixed): New variable.
> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
As Mark pointed out on #guix, bugs in flex's generated code can not be
addressed with a graft. Also, the upstream tarballs that we build from
often contain code generated by flex.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Flex security update: RCE in generated code (CVE-2016-6354)
2016-08-26 22:49 ` Leo Famulari
@ 2016-08-27 21:48 ` Ludovic Courtès
2016-08-28 0:54 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2016-08-27 21:48 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Hello!
Leo Famulari <leo@famulari.name> skribis:
> On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
>> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
>>
>> * gnu/packages/flex.scm (flex)[replacement]: New field.
>> (flex/fixed): New variable.
>> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>
> As Mark pointed out on #guix, bugs in flex's generated code can not be
> addressed with a graft.
Indeed. We should add this patch to ‘core-updates’ and start building
it (I haven’t checked the status of the various branches, though.)
> Also, the upstream tarballs that we build from often contain code
> generated by flex.
Yes, and finding out which tarballs contain vulnerable lexers (or
contain Flex-generated stuff at all) sounds difficult.
Maybe people have developed scripts to help with that?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Flex security update: RCE in generated code (CVE-2016-6354)
2016-08-27 21:48 ` Ludovic Courtès
@ 2016-08-28 0:54 ` Leo Famulari
2016-08-28 9:41 ` Efraim Flashner
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-08-28 0:54 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote:
> Hello!
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> >>
> >> * gnu/packages/flex.scm (flex)[replacement]: New field.
> >> (flex/fixed): New variable.
> >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Add it.
> >
> > As Mark pointed out on #guix, bugs in flex's generated code can not be
> > addressed with a graft.
>
> Indeed. We should add this patch to ‘core-updates’ and start building
> it (I haven’t checked the status of the various branches, though.)
Done as eba7fab890.
I'm not sure of the overall health of the branch, but I have built some
packages from it locally on x86_64. So, the base system seems to be
working.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Flex security update: RCE in generated code (CVE-2016-6354)
2016-08-28 0:54 ` Leo Famulari
@ 2016-08-28 9:41 ` Efraim Flashner
0 siblings, 0 replies; 5+ messages in thread
From: Efraim Flashner @ 2016-08-28 9:41 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1542 bytes --]
On Sat, Aug 27, 2016 at 08:54:34PM -0400, Leo Famulari wrote:
> On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote:
> > Hello!
> >
> > Leo Famulari <leo@famulari.name> skribis:
> >
> > > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> > >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> > >>
> > >> * gnu/packages/flex.scm (flex)[replacement]: New field.
> > >> (flex/fixed): New variable.
> > >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> > >> * gnu/local.mk (dist_patch_DATA): Add it.
> > >
> > > As Mark pointed out on #guix, bugs in flex's generated code can not be
> > > addressed with a graft.
> >
> > Indeed. We should add this patch to ‘core-updates’ and start building
> > it (I haven’t checked the status of the various branches, though.)
>
> Done as eba7fab890.
>
> I'm not sure of the overall health of the branch, but I have built some
> packages from it locally on x86_64. So, the base system seems to be
> working.
>
I somehow managed to push a lot to the branch, and currently cmake is
broken, both the "old" version and the "new" version I pushed. They are
broken in the same way, so (based on nothing at all) I assume its
related to the file update.
Also, gcc-4.9.4 causes the same breakage on arm as 5.3.0 did.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-08-28 9:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-26 22:14 Flex security update: RCE in generated code (CVE-2016-6354) Leo Famulari
2016-08-26 22:49 ` Leo Famulari
2016-08-27 21:48 ` Ludovic Courtès
2016-08-28 0:54 ` Leo Famulari
2016-08-28 9:41 ` Efraim Flashner
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).