Bug 1872737 (CVE-2020-24240) - CVE-2020-24240 bison: use-after-free via crafted input file containing a NULL byte can lead to DoS
Summary: CVE-2020-24240 bison: use-after-free via crafted input file containing a NULL...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-24240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1872738
Blocks: 1872739
TreeView+ depends on / blocked
 
Reported: 2020-08-26 14:13 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 19:25 UTC (History)
5 users (show)

Fixed In Version: bison 3.7.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-08-28 01:17:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-08-26 14:13:44 UTC
GNU Bison 3.7 has a use after free (UAF) vulnerability. A local attacker may execute bison with crafted input file containing a NULL byte, which could triggers UAF and thus cause system crash.

Reference:
https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html

Upstream patch:
https://github.com/akimd/bison/commit/be95a4fe2951374676efc9454ffee8638faaf68d

Comment 1 Guilherme de Almeida Suckevicz 2020-08-26 14:14:05 UTC
Created bison tracking bugs for this issue:

Affects: fedora-all [bug 1872738]

Comment 3 Todd Cullum 2020-08-27 20:03:59 UTC
Statement:

bison as shipped in Red Hat Enterprise Linux 7 and 8 does not reproduce this flaw. It properly detects the NULL byte and errors out accordingly instead of causing use-after-free. This is likely due to introduction of vulnerable code in a more recent version of bison.

Comment 4 Product Security DevOps Team 2020-08-28 01:17:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24240


Note You need to log in before you can comment on or make changes to this bug.