Bug 522586 (CVE-2008-7177) - CVE-2008-7177 nasm: listing module buffer overflow
Summary: CVE-2008-7177 nasm: listing module buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-7177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: source=cve,impact=low
Depends On: 452800
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-10 18:34 UTC by Tomas Hoger
Modified: 2019-06-08 12:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-10 18:40:57 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2009-09-10 18:34:07 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7177 to the following vulnerability:

Buffer overflow in the listing module in Netwide Assembler (NASM)
before 2.03.01 has unknown impact and attack vectors, a different
vulnerability than CVE-2008-2719.

References:
http://sourceforge.net/project/shownotes.php?release_id=607497
https://bugzilla.redhat.com/show_bug.cgi?id=452800
https://www.redhat.com/archives/fedora-package-announce/2008-June/msg01000.html
http://www.securityfocus.com/bid/29955
http://www.securitytracker.com/id?1020378
http://secunia.com/advisories/30836
http://www.vupen.com/english/advisories/2008/1939

Comment 1 Tomas Hoger 2009-09-10 18:40:57 UTC
Doing a bit more search around this...

This is full diff between 2.03 and 2.03.1:
http://repo.or.cz/w/nasm.git?a=treediff;hp=a122578dcd9f3461c43dd9f9b81b64d832208866;hb=07c1468307f3b6fe16c7984447cc6512d1677140;hpb=c751e86145aec99b2212321903146723e75af22a

Relevant part of it is:
http://repo.or.cz/w/nasm.git?a=commitdiff;h=7174c5812e3d9f8d32dabdd612487231403e20df

Which, via commit message, leads to this SF.net bug report with further details:
http://sourceforge.net/tracker/?func=detail&atid=106208&aid=1991797&group_id=6208

The code in question was introduced upstream via following commit in Nov 2007:
http://repo.or.cz/w/nasm.git?a=commitdiff;h=34f6fb0a65b247442afcb2148c8c80112ab4cd59

The code is not present in nasm versions shipped in Red Hat Enterprise Linux 3, 4 and 5, hence those versions are not affected by this flaw.

All current Fedora versions are already updated to use nasm version 2.03.1 or later.


Note You need to log in before you can comment on or make changes to this bug.