Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2719 to the following vulnerability: Off-by-one error in the ppscan function (preproc.c) in Netwide Assembler (NASM) 2.02 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted file that triggers a stack-based buffer overflow. Upstream bug report and patch: https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_id=6208 http://repo.or.cz/w/nasm.git?a=commit;h=76ec8e73db16f4cf1453a142d03bcc74d528f72f Other references: http://www.openwall.com/lists/oss-security/2008/06/11/4 http://secunia.com/advisories/30594 http://www.frsirt.com/english/advisories/2008/1811
We only ship 2.01, but from the look into the sources it seems to me that we are still affected: --- nasm-2.01/preproc.c 2008-01-17 21:22:17.000000000 +0100 +++ nasm-2.03.01/preproc.c 2008-06-17 06:31:16.000000000 +0200 @@ -1074,7 +1121,7 @@ static int ppscan(void *private_data, st } for (r = p, s = ourcopy; *r; r++) { - if (r > p+MAX_KEYWORD) + if (r >= p+MAX_KEYWORD) return tokval->t_type = TOKEN_ID; /* Not a keyword */ *s++ = tolower(*r); I can rebase to 2.03.01.
Note these issues did not affect the versions of NASM as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5473
Just for future reference: The issue was introduced in the following upstream commit: http://repo.or.cz/w/nasm.git?a=commitdiff;h=c2df282092512917e558f56797f2e2be889de61c Upstream version 0.99 seem to be the first version containing this affected code. Fixed upstream in 2.03.01.