Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 451995 - (CVE-2008-2719) CVE-2008-2719 nasm: off-by-one error in the ppscan function
CVE-2008-2719 nasm: off-by-one error in the ppscan function
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=osssecurity,reported=20080611,...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-18 11:20 EDT by Tomas Hoger
Modified: 2016-03-04 06:38 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-04 09:33:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Tomas Hoger 2008-06-18 11:20:32 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2719 to the following vulnerability:

Off-by-one error in the ppscan function (preproc.c) in Netwide
Assembler (NASM) 2.02 allows context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
crafted file that triggers a stack-based buffer overflow.

Upstream bug report and patch:
https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_id=6208
http://repo.or.cz/w/nasm.git?a=commit;h=76ec8e73db16f4cf1453a142d03bcc74d528f72f

Other references:
http://www.openwall.com/lists/oss-security/2008/06/11/4
http://secunia.com/advisories/30594
http://www.frsirt.com/english/advisories/2008/1811
Comment 1 Petr Machata 2008-06-19 06:35:22 EDT 
We only ship 2.01, but from the look into the sources it seems to me that we are
still affected:

--- nasm-2.01/preproc.c 2008-01-17 21:22:17.000000000 +0100
+++ nasm-2.03.01/preproc.c      2008-06-17 06:31:16.000000000 +0200
@@ -1074,7 +1121,7 @@ static int ppscan(void *private_data, st
         }
 
         for (r = p, s = ourcopy; *r; r++) {
-           if (r > p+MAX_KEYWORD)
+           if (r >= p+MAX_KEYWORD)
                return tokval->t_type = TOKEN_ID; /* Not a keyword */
             *s++ = tolower(*r);

I can rebase to 2.03.01.
Comment 2 Mark J. Cox 2008-07-04 09:18:49 EDT 
Note these issues did not affect the versions of NASM as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.
Comment 3 Red Hat Product Security 2008-07-04 09:33:53 EDT 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5473
Comment 4 Tomas Hoger 2008-10-01 04:06:18 EDT 
Just for future reference:

The issue was introduced in the following upstream commit:
http://repo.or.cz/w/nasm.git?a=commitdiff;h=c2df282092512917e558f56797f2e2be889de61c

Upstream version 0.99 seem to be the first version containing this affected code. Fixed upstream in 2.03.01.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.