Bug 2186333 (CVE-2023-29581) - CVE-2023-29581 yasm: segmentation violation in delete_Token() in modules/preprocs/nasm/nasm-pp.c
Summary: CVE-2023-29581 yasm: segmentation violation in delete_Token() in modules/prep...
Keywords:
Status: NEW
Alias: CVE-2023-29581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2186334 2186335 2186869 2186870
Blocks: 2186336
TreeView+ depends on / blocked
 
Reported: 2023-04-12 21:23 UTC by Pedro Sampaio
Modified: 2024-03-22 12:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-04-12 21:23:43 UTC 
yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function delete_Token at /nasm/nasm-pp.c.

References:
https://github.com/yasm/yasm/issues/216
https://github.com/z1r00/fuzz_vuln/blob/main/yasm/segv/delete_Token/readme.md
Comment 1 Pedro Sampaio 2023-04-12 21:24:03 UTC 
Created yasm tracking bugs for this issue:

Affects: epel-all [bug 2186335]
Affects: fedora-all [bug 2186334]
Comment 4 Siddhesh Poyarekar 2023-04-14 17:50:19 UTC 
Why is this a security issue? Assemblers are not a service and shouldn't be required to accept untrusted input.
Comment 5 Pedro Sampaio 2023-04-14 21:09:27 UTC 
As far as I can see, this CVE was not assigned by us, but by Mitre and since it was published, we have to file the bug nonetheless. Any requests to reject this CVE ID have to be directed to Mitre via cveform:

https://cveform.mitre.org/
Comment 8 Dominik 'Rathann' Mierzejewski 2024-03-22 12:00:46 UTC 
Thanks for the link, rejection request sent.
Note You need to log in before you can comment on or make changes to this bug.