When processing files, malloc stores the data of the current line. When processing comments, malloc incorrectly accesses the released memory (use after free). Reference: https://gitee.com/src-openeuler/byacc/commit/50225f48c6b53e9d7c936681a06682404cb8ec4d
Created byacc tracking bugs for this issue: Affects: fedora-all [bug 2183007]
(In reply to Marian Rehak from comment #0) > When processing files, malloc stores the data of the current line. When > processing comments, malloc incorrectly accesses the released memory (use > after free). > > Reference: > > https://gitee.com/src-openeuler/byacc/commit/ > 50225f48c6b53e9d7c936681a06682404cb8ec4d byacc is a standalone program, so any bugs in it, including a use-after-free ought to have no security consequences. The reference is behind a login wall; I don't know what gitee.com is so I'd like to avoid making an account there. Can you or the original submitter please provide information that is accessible without having to sign up for something?
The commit on gitee has no additional information (and proposes a band-aid fix). There's no example of how to reproduce the problem, and does not completely fix it. The developer did not discuss this with me. The actual bug would occur if the grammar splits up a %lex-param or %parse-param statement across multiple lines (or ends with a multiline C comment). I began a fix last night, which (since I'm finishing changes to xterm) will be completed after several days - including making testcases. By the way, there are two Red Hat bugs for the same issue. I will cite only this number.
(In reply to Thomas E. Dickey from comment #4) > The commit on gitee has no additional information (and proposes a band-aid > fix). > There's no example of how to reproduce the problem, and does not completely > fix it. > The developer did not discuss this with me. > > The actual bug would occur if the grammar splits up a %lex-param or > %parse-param > statement across multiple lines (or ends with a multiline C comment). That sounds like a regular bug, not a security issue. I reckon this needs to be rejected, unless anybody else comes up with a reason to consider this a security bug. > I began a fix last night, which (since I'm finishing changes to xterm) will > be > completed after several days - including making testcases. > > By the way, there are two Red Hat bugs for the same issue. > I will cite only this number. I reckon you mean bug 2183007, which is the Fedora tracker for this bug? Please use that one; this is a general flaw bug to track fixes across distributions (Fedora, RHEL, etc.)
(In reply to Siddhesh Poyarekar from comment #5) > That sounds like a regular bug, not a security issue. I reckon this needs to > be rejected, unless anybody else comes up with a reason to consider this a > security bug. FAOD, by "rejected" I mean to reject that it is a security issue by filing a dispute with Mitre.