Bug 2226934 (CVE-2023-37732) - CVE-2023-37732 yasm: SEGV in yasm/libyasm/intnum.c in function yasm_intnum_copy()
Summary: CVE-2023-37732 yasm: SEGV in yasm/libyasm/intnum.c in function yasm_intnum_co...
Keywords:
Status: NEW
Alias: CVE-2023-37732
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2228937 2228938 2226936 2226937 2228935
Blocks: 2226935
TreeView+ depends on / blocked
 
Reported: 2023-07-27 04:17 UTC by Sandipan Roy
Modified: 2024-03-22 11:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-07-27 04:17:14 UTC 
Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.

https://gist.github.com/ChanStormstout/02eea9cf5c002b42b2ff3de5ca939520
https://github.com/yasm/yasm/issues/233
Comment 3 msiddiqu 2023-08-03 17:11:32 UTC 
Created yasm tracking bugs for this issue:

Affects: epel-7 [bug 2228937]
Affects: fedora-all [bug 2228938]
Comment 4 Siddhesh Poyarekar 2023-08-04 12:39:47 UTC 
The yasm security policy excludes untrusted input to yasm[1], can you please file a dispute for the CVE?

[1] https://github.com/yasm/yasm/blob/master/SECURITY.mdd
Comment 6 msiddiqu 2023-08-04 13:37:52 UTC 
In reply to comment #4:
> The yasm security policy excludes untrusted input to yasm[1], can you please
> file a dispute for the CVE?
> 
> [1] https://github.com/yasm/yasm/blob/master/SECURITY.mdd

Raised an arbitration issue with Top level Root MITRE who owns this CVE.
Comment 8 Dominik 'Rathann' Mierzejewski 2024-03-22 11:41:21 UTC 
Fixed in: https://github.com/yasm/yasm/pull/234/commits/8a9af472a7160edf3d8ee0a994433d3c6e14cefc .
Note You need to log in before you can comment on or make changes to this bug.