Bug 1826946 (CVE-2020-11958)

Summary:	CVE-2020-11958 re2c: heap-based buffer overflow in Scanner::fill in parse/scanner.cc
Product:	[Other] Security Response	Reporter:	Guilherme de Almeida Suckevicz <gsuckevi>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	fedora, i, orion, rhughes, seancallaway
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	re2c 2.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-04-23 04:31:45 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1826947

Description Guilherme de Almeida Suckevicz 2020-04-22 20:14:20 UTC

re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.

References:
https://www.openwall.com/lists/oss-security/2020/04/19/1
https://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-scanner-cc/

Upstream commit:
https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a

Comment 1 Todd Cullum 2020-04-23 03:10:37 UTC

Statement:

This flaw was tested and does not affect any version of Red Hat Enterprise Linux. The vulnerable code was introduced in a version that is not in the Red Hat Enterprise Linux repositories.

Comment 2 Todd Cullum 2020-04-23 03:39:26 UTC

This vulnerability was introduced in the "preparations to support #include" commit in the upstream version re2c-1.3, and is not present in any versions of RHEL.

Comment 3 Product Security DevOps Team 2020-04-23 04:31:45 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11958