Red Hat Bugzilla – Bug 522586
CVE-2008-7177 nasm: listing module buffer overflow
Last modified: 2009-09-10 14:40:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7177 to the following vulnerability: Buffer overflow in the listing module in Netwide Assembler (NASM) before 2.03.01 has unknown impact and attack vectors, a different vulnerability than CVE-2008-2719. References: http://sourceforge.net/project/shownotes.php?release_id=607497 https://bugzilla.redhat.com/show_bug.cgi?id=452800 https://www.redhat.com/archives/fedora-package-announce/2008-June/msg01000.html http://www.securityfocus.com/bid/29955 http://www.securitytracker.com/id?1020378 http://secunia.com/advisories/30836 http://www.vupen.com/english/advisories/2008/1939
Doing a bit more search around this... This is full diff between 2.03 and 2.03.1: http://repo.or.cz/w/nasm.git?a=treediff;hp=a122578dcd9f3461c43dd9f9b81b64d832208866;hb=07c1468307f3b6fe16c7984447cc6512d1677140;hpb=c751e86145aec99b2212321903146723e75af22a Relevant part of it is: http://repo.or.cz/w/nasm.git?a=commitdiff;h=7174c5812e3d9f8d32dabdd612487231403e20df Which, via commit message, leads to this SF.net bug report with further details: http://sourceforge.net/tracker/?func=detail&atid=106208&aid=1991797&group_id=6208 The code in question was introduced upstream via following commit in Nov 2007: http://repo.or.cz/w/nasm.git?a=commitdiff;h=34f6fb0a65b247442afcb2148c8c80112ab4cd59 The code is not present in nasm versions shipped in Red Hat Enterprise Linux 3, 4 and 5, hence those versions are not affected by this flaw. All current Fedora versions are already updated to use nasm version 2.03.1 or later.