Bug 1847608 (CVE-2020-14150)

Summary: CVE-2020-14150 bison: allows attackers to cause a denial of service
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arjun.is, ashankar, emachado, me, pfrankli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bison 3.5.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-01 17:13:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1847609, 1881232, 1881233    
Bug Blocks: 1847611    

Description Guilherme de Almeida Suckevicz 2020-06-16 16:56:00 UTC 
GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash).

Reference:
https://lists.gnu.org/archive/html/info-gnu/2020-04/msg00000.html
Comment 1 Guilherme de Almeida Suckevicz 2020-06-16 16:56:20 UTC 
Created bison tracking bugs for this issue:

Affects: fedora-all [bug 1847609]
Comment 3 Todd Cullum 2020-09-16 22:08:44 UTC 
Mitigation:

To mitigate this flaw, do not use Bison on untrusted input.
Comment 9 Todd Cullum 2020-09-21 22:05:36 UTC 
The CVE seems to encapsulate several heap buffer overflows and assertion failures found listed as "[bison crash]" on [1]. Most of the issues stem from the same flawed code that is patched in [2]. All issues require untrusted input to be provided to bison, and likely will lead to bison crashing.

1. https://lists.gnu.org/archive/html/bug-bison/2020-03/index.html
2. https://github.com/akimd/bison/commit/641e326303753575664ca146fee7e9148d6bf5cf