Bug 2226934 (CVE-2023-37732) - CVE-2023-37732 yasm: SEGV in yasm/libyasm/intnum.c in function yasm_intnum_copy()
Summary: CVE-2023-37732 yasm: SEGV in yasm/libyasm/intnum.c in function yasm_intnum_co...
Keywords:
Status: NEW
Alias: CVE-2023-37732
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2228937 2228938 2226936 2226937 2228935
Blocks: 2226935
TreeView+ depends on / blocked
 
Reported: 2023-07-27 04:17 UTC by Sandipan Roy
Modified: 2023-08-08 17:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-07-27 04:17:14 UTC 
Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.

https://gist.github.com/ChanStormstout/02eea9cf5c002b42b2ff3de5ca939520
https://github.com/yasm/yasm/issues/233
Comment 3 msiddiqu 2023-08-03 17:11:32 UTC 
Created yasm tracking bugs for this issue:

Affects: epel-7 [bug 2228937]
Affects: fedora-all [bug 2228938]
Comment 4 Siddhesh Poyarekar 2023-08-04 12:39:47 UTC 
The yasm security policy excludes untrusted input to yasm[1], can you please file a dispute for the CVE?

[1] https://github.com/yasm/yasm/blob/master/SECURITY.mdd
Comment 6 msiddiqu 2023-08-04 13:37:52 UTC 
In reply to comment #4:
> The yasm security policy excludes untrusted input to yasm[1], can you please
> file a dispute for the CVE?
> 
> [1] https://github.com/yasm/yasm/blob/master/SECURITY.mdd

Raised an arbitration issue with Top level Root MITRE who owns this CVE.
Note You need to log in before you can comment on or make changes to this bug.