Bug 451995 (CVE-2008-2719) - CVE-2008-2719 nasm: off-by-one error in the ppscan function
Summary: CVE-2008-2719 nasm: off-by-one error in the ppscan function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2719
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-18 15:20 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-04 13:33:53 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-06-18 15:20:32 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2719 to the following vulnerability:

Off-by-one error in the ppscan function (preproc.c) in Netwide
Assembler (NASM) 2.02 allows context-dependent attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
crafted file that triggers a stack-based buffer overflow.

Upstream bug report and patch:
https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_id=6208
http://repo.or.cz/w/nasm.git?a=commit;h=76ec8e73db16f4cf1453a142d03bcc74d528f72f

Other references:
http://www.openwall.com/lists/oss-security/2008/06/11/4
http://secunia.com/advisories/30594
http://www.frsirt.com/english/advisories/2008/1811

Comment 1 Petr Machata 2008-06-19 10:35:22 UTC
We only ship 2.01, but from the look into the sources it seems to me that we are
still affected:

--- nasm-2.01/preproc.c 2008-01-17 21:22:17.000000000 +0100
+++ nasm-2.03.01/preproc.c      2008-06-17 06:31:16.000000000 +0200
@@ -1074,7 +1121,7 @@ static int ppscan(void *private_data, st
         }
 
         for (r = p, s = ourcopy; *r; r++) {
-           if (r > p+MAX_KEYWORD)
+           if (r >= p+MAX_KEYWORD)
                return tokval->t_type = TOKEN_ID; /* Not a keyword */
             *s++ = tolower(*r);

I can rebase to 2.03.01.

Comment 2 Mark J. Cox 2008-07-04 13:18:49 UTC
Note these issues did not affect the versions of NASM as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

Comment 3 Red Hat Product Security 2008-07-04 13:33:53 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5473



Comment 4 Tomas Hoger 2008-10-01 08:06:18 UTC
Just for future reference:

The issue was introduced in the following upstream commit:
http://repo.or.cz/w/nasm.git?a=commitdiff;h=c2df282092512917e558f56797f2e2be889de61c

Upstream version 0.99 seem to be the first version containing this affected code. Fixed upstream in 2.03.01.


Note You need to log in before you can comment on or make changes to this bug.