nasm: CVE-2008-2719 off-by one in ppscan

Debian Bug report logs - #486715
nasm: CVE-2008-2719 off-by one in ppscan

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: nasm: CVE-2008-2719 off-by one in ppscan

Date: Tue, 17 Jun 2008 22:17:29 +0200

[Message part 1 (text/plain, inline)]

Package: nasm
Severity: grave
Version: 2.02-1
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nasm.

CVE-2008-2719[0]:
| Off-by-one error in the ppscan function (preproc.c) in Netwide
| Assembler (NASM) 2.02 allows context-dependent attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| crafted file that triggers a stack-based buffer overflow.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Upstream patch: https://sourceforge.net/tracker/download.php?group_id=6208&atid=106208&file_id=274609&aid=1942146

Note, the description on the mitre site is not yet online but it will
be the same as the above one.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2719
    http://security-tracker.debian.net/tracker/CVE-2008-2719

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 486715-done@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Nico Golde <nion@debian.org>

Cc: debian-release@lists.debian.org

Subject: Re: Bug#486715: nasm: CVE-2008-2719 off-by one in ppscan

Date: Wed, 18 Jun 2008 17:29:05 +1000

[Message part 1 (text/plain, inline)]

Version: 2.03.01-1

[Bcc: 486715-done@bugs.debian.org]

On Tue, Jun 17, 2008 at 10:17:29PM +0200, Nico Golde wrote:
>Package: nasm
>Severity: grave
>Version: 2.02-1
>Tags: security patch
>
>Hi,
>the following CVE (Common Vulnerabilities & Exposures) id was published
>for nasm.
>
>CVE-2008-2719[0]:
>>Off-by-one error in the ppscan function (preproc.c) in Netwide
>>Assembler (NASM) 2.02 allows context-dependent attackers to cause a
>>denial of service (crash) and possibly execute arbitrary code via a
>>crafted file that triggers a stack-based buffer overflow.
>
>If you fix the vulnerability please also make sure to include the CVE
>id in your changelog entry.

Too late!

Your bug report reached me 7+ hours after I've uploaded nasm 2.03.01-1

>Upstream patch:
>https://sourceforge.net/tracker/download.php?group_id=6208&atid=106208&file_id=274609&aid=1942146

Already in nasm 2.03.01-1

Release team, please consider setting the age-days of nasm 2.03.01-1 to
2.

>Note, the description on the mitre site is not yet online but it will
>be the same as the above one.
>
>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2719
>http://security-tracker.debian.net/tracker/CVE-2008-2719
>
>-- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG:
>0x73647CFF For security reasons, all text in this mail is double-rot13
>encrypted.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.