Bug 451995 (CVE-2008-2719)

Summary: CVE-2008-2719 nasm: off-by-one error in the ppscan function
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: pmachata
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2719
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-04 13:33:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-06-18 15:20:32 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2719 to the following vulnerability:

Off-by-one error in the ppscan function (preproc.c) in Netwide
Assembler (NASM) 2.02 allows context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
crafted file that triggers a stack-based buffer overflow.

Upstream bug report and patch:
https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_id=6208
http://repo.or.cz/w/nasm.git?a=commit;h=76ec8e73db16f4cf1453a142d03bcc74d528f72f

Other references:
http://www.openwall.com/lists/oss-security/2008/06/11/4
http://secunia.com/advisories/30594
http://www.frsirt.com/english/advisories/2008/1811
Comment 1 Petr Machata 2008-06-19 10:35:22 UTC 
We only ship 2.01, but from the look into the sources it seems to me that we are
still affected:

--- nasm-2.01/preproc.c 2008-01-17 21:22:17.000000000 +0100
+++ nasm-2.03.01/preproc.c      2008-06-17 06:31:16.000000000 +0200
@@ -1074,7 +1121,7 @@ static int ppscan(void *private_data, st
         }
 
         for (r = p, s = ourcopy; *r; r++) {
-           if (r > p+MAX_KEYWORD)
+           if (r >= p+MAX_KEYWORD)
                return tokval->t_type = TOKEN_ID; /* Not a keyword */
             *s++ = tolower(*r);

I can rebase to 2.03.01.
Comment 2 Mark J. Cox 2008-07-04 13:18:49 UTC 
Note these issues did not affect the versions of NASM as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.
Comment 3 Red Hat Product Security 2008-07-04 13:33:53 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5473
Comment 4 Tomas Hoger 2008-10-01 08:06:18 UTC 
Just for future reference:

The issue was introduced in the following upstream commit:
http://repo.or.cz/w/nasm.git?a=commitdiff;h=c2df282092512917e558f56797f2e2be889de61c

Upstream version 0.99 seem to be the first version containing this affected code. Fixed upstream in 2.03.01.