yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c. References: https://github.com/yasm/yasm/issues/215 https://github.com/z1r00/fuzz_vuln/blob/main/yasm/segv/yasm_expr_create/readmd.md
Created yasm tracking bugs for this issue: Affects: epel-all [bug 2186293] Affects: fedora-all [bug 2186292]
Why is this a security issue? Assemblers are not a service and shouldn't be required to accept untrusted input. Admittedly this is in a library, which may in theory be used to implement services, but I can't imagine this being a safe thing to do regardless of this bug.
(In reply to Siddhesh Poyarekar from comment #4) > Why is this a security issue? Assemblers are not a service and shouldn't be > required to accept untrusted input. Admittedly this is in a library, which > may in theory be used to implement services, but I can't imagine this being > a safe thing to do regardless of this bug. As far as I can see, this CVE was not assigned by us, but by Mitre and since it was published, we have to file the bug nonetheless. Any requests to reject this CVE ID have to be directed to Mitre via cveform: https://cveform.mitre.org/