Bug 183477
Summary: | SA19071 Flex Unspecified Scanner Vulnerabilities | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ignacio Vazquez-Abrams <ivazqueznet> |
Component: | flex | Assignee: | Petr Machata <pmachata> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | mnewsome |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/19071/ | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-02 13:41:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ignacio Vazquez-Abrams
2006-03-01 12:16:37 UTC
Does anybody know anything more concrete? Knowing that there are "some" vulnerabilities with "unknown impact" isn't particularly helpful. Flex doesn't manage a changelog. In NEWS, the most concrete is "numerous bug and security fixes"... This issue does not affect the version of flex we ship in Fedora Core 4 or 5, nor do any of the prebuilt flex files contained in any source files suffer from this exploit. The Red Hat Security Response Team did a very through analysis of this problem in order to come to this conclusion. The problem is that in newer versions of flex don't allocate enough space for the pattern state machine. The old versions of flex used static arrays, where the newer versions dynamically allocate the space needed. This dynamic allocation incorrectly calculated the space required. The flex commit is here: http://cvs.sourceforge.net/viewcvs.py/flex/flex/flex.skl?rev=2.193&view=auto |