Bug 1847608 (CVE-2020-14150) - CVE-2020-14150 bison: allows attackers to cause a denial of service
Summary: CVE-2020-14150 bison: allows attackers to cause a denial of service
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-14150
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1847609 1881232 1881233
Blocks: 1847611
TreeView+ depends on / blocked
 
Reported: 2020-06-16 16:56 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-01 17:13 UTC (History)
5 users (show)

Fixed In Version: bison 3.5.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-01 17:13:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-06-16 16:56:00 UTC 
GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash).

Reference:
https://lists.gnu.org/archive/html/info-gnu/2020-04/msg00000.html
Comment 1 Guilherme de Almeida Suckevicz 2020-06-16 16:56:20 UTC 
Created bison tracking bugs for this issue:

Affects: fedora-all [bug 1847609]
Comment 3 Todd Cullum 2020-09-16 22:08:44 UTC 
Mitigation:

To mitigate this flaw, do not use Bison on untrusted input.
Comment 9 Todd Cullum 2020-09-21 22:05:36 UTC 
The CVE seems to encapsulate several heap buffer overflows and assertion failures found listed as "[bison crash]" on [1]. Most of the issues stem from the same flawed code that is patched in [2]. All issues require untrusted input to be provided to bison, and likely will lead to bison crashing.

1. https://lists.gnu.org/archive/html/bug-bison/2020-03/index.html
2. https://github.com/akimd/bison/commit/641e326303753575664ca146fee7e9148d6bf5cf
Note You need to log in before you can comment on or make changes to this bug.