Debian Bug report logs -
#486715
nasm: CVE-2008-2719 off-by one in ppscan
Reported by: Nico Golde <nion@debian.org>
Date: Tue, 17 Jun 2008 20:21:01 UTC
Severity: grave
Tags: patch, security
Found in version nasm/2.02-1
Fixed in version 2.03.01-1
Done: Aníbal Monsalve Salazar <anibal@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>
:
Bug#486715
; Package nasm
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: nasm
Severity: grave
Version: 2.02-1
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for nasm.
CVE-2008-2719[0]:
| Off-by-one error in the ppscan function (preproc.c) in Netwide
| Assembler (NASM) 2.02 allows context-dependent attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| crafted file that triggers a stack-based buffer overflow.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Upstream patch: https://sourceforge.net/tracker/download.php?group_id=6208&atid=106208&file_id=274609&aid=1942146
Note, the description on the mitre site is not yet online but it will
be the same as the above one.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2719
http://security-tracker.debian.net/tracker/CVE-2008-2719
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Aníbal Monsalve Salazar <anibal@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 486715-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.03.01-1
[Bcc: 486715-done@bugs.debian.org]
On Tue, Jun 17, 2008 at 10:17:29PM +0200, Nico Golde wrote:
>Package: nasm
>Severity: grave
>Version: 2.02-1
>Tags: security patch
>
>Hi,
>the following CVE (Common Vulnerabilities & Exposures) id was published
>for nasm.
>
>CVE-2008-2719[0]:
>>Off-by-one error in the ppscan function (preproc.c) in Netwide
>>Assembler (NASM) 2.02 allows context-dependent attackers to cause a
>>denial of service (crash) and possibly execute arbitrary code via a
>>crafted file that triggers a stack-based buffer overflow.
>
>If you fix the vulnerability please also make sure to include the CVE
>id in your changelog entry.
Too late!
Your bug report reached me 7+ hours after I've uploaded nasm 2.03.01-1
>Upstream patch:
>https://sourceforge.net/tracker/download.php?group_id=6208&atid=106208&file_id=274609&aid=1942146
Already in nasm 2.03.01-1
Release team, please consider setting the age-days of nasm 2.03.01-1 to
2.
>Note, the description on the mitre site is not yet online but it will
>be the same as the above one.
>
>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2719
>http://security-tracker.debian.net/tracker/CVE-2008-2719
>
>-- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG:
>0x73647CFF For security reasons, all text in this mail is double-rot13
>encrypted.
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 22 Jul 2008 07:28:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.