Debian Bug report logs -
#832768
flex: CVE-2016-6354: buffer overflow in generated code (yy_get_next_buffer)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 28 Jul 2016 16:57:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version flex/2.5.39-8
Fixed in versions flex/2.5.39-8+deb8u1, flex/2.6.1-1
Done: Manoj Srivastava <srivasta@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#832768; Package src:flex.
(Thu, 28 Jul 2016 16:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Manoj Srivastava <srivasta@debian.org>.
(Thu, 28 Jul 2016 16:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: flex
Version: 2.5.39-8
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for flex, fixing this as
grave. It is possible to exploit this remotely, but depending othe
application that is build using flex. And there might be furthermore
sources with shipped lexers built with the broken flex version. All of
those was not investigated.
CVE-2016-6354[0]:
Buffer overflow in generated code (yy_get_next_buffer); related to num_to_read
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6354
[1] https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
Regards,
Salvatore
Reply sent
to Manoj Srivastava <srivasta@debian.org>:
You have taken responsibility.
(Sun, 31 Jul 2016 22:57:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 31 Jul 2016 22:57:04 GMT) (full text, mbox, link).
Message #10 received at 832768-close@bugs.debian.org (full text, mbox, reply):
Source: flex
Source-Version: 2.6.1-1
We believe that the bug you reported is fixed in the latest version of
flex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Manoj Srivastava <srivasta@debian.org> (supplier of updated flex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 Jul 2016 18:07:24 -0700
Source: flex
Binary: flex flex-doc libfl-dev
Architecture: source amd64 all
Version: 2.6.1-1
Distribution: unstable
Urgency: low
Maintainer: Manoj Srivastava <srivasta@debian.org>
Changed-By: Manoj Srivastava <srivasta@debian.org>
Description:
flex - fast lexical analyzer generator
flex-doc - Documentation for flex (a fast lexical analyzer generator)
libfl-dev - static library for flex (a fast lexical analyzer generator)
Closes: 832768
Changes:
flex (2.6.1-1) unstable; urgency=low
.
* New upstream version. The development of flex ias transitionaing to
github; updated the watch file.
* Bug fix: "CVE-2016-6354: buffer overflow in generated code
(yy_get_next_buffer)", thanks to Salvatore Bonaccorso. The latest
upstream has this bug fixed. (Closes: #832768).
Checksums-Sha1:
d6130d4494022d06bba5efbb638084bb07ee0253 1889 flex_2.6.1-1.dsc
be0ffa90a3c28530922bffaffd2925acf6c4c5cc 994826 flex_2.6.1.orig.tar.gz
11195c84e6d94a18873feb55bdba933a8fc5261b 31804 flex_2.6.1-1.diff.gz
6e021814187027de39f93b0da424cff8c0805ce1 130840 flex-dbgsym_2.6.1-1_amd64.deb
cefee5ebc9eeb58dcd83fece8dd67af2ff929f60 753756 flex-doc_2.6.1-1_all.deb
11316d00420d24a44cda1ce21c16422fb1102c49 428350 flex_2.6.1-1_amd64.deb
de0c0d525e9506e3feba6e8f38aa19b91a3c458a 2940 libfl-dev-dbgsym_2.6.1-1_amd64.deb
2081499aaedd716fba52971ad3b17b250aaba8fc 92492 libfl-dev_2.6.1-1_amd64.deb
Checksums-Sha256:
e595cb500a5258cabf0eae9b81aa2b84c60efb669fcddc50edd39da26169e991 1889 flex_2.6.1-1.dsc
45ca57aa8c9c2539bc201f602279d8730d20450514b36e867853e212c0e55438 994826 flex_2.6.1.orig.tar.gz
4a9de3866cbc841e31106359af2e908eb35d3dc03036d18ec55d1773cecdc985 31804 flex_2.6.1-1.diff.gz
00d9f0357c48c90a5593733ae8038bb39378a7340bac9c125bf81c751f4ed233 130840 flex-dbgsym_2.6.1-1_amd64.deb
d6d6f950fa50c2f702e608fd090d58417b0d3ac7f862e2d60741ff6fc1ae0fae 753756 flex-doc_2.6.1-1_all.deb
4e184403162a4aaff93fa989735200c1fb7db357d6700b48e96c832dc9f74051 428350 flex_2.6.1-1_amd64.deb
6829a67cccd045d54ba002311443e4846474ad5c8205d8f1b64444713becbd56 2940 libfl-dev-dbgsym_2.6.1-1_amd64.deb
0f2fcaad0fb5547459015db5e0a6e54c1ccac5f7d844fa2f363a1636a8de7f2b 92492 libfl-dev_2.6.1-1_amd64.deb
Files:
5ea662a34b1518690e86fc974e5c4aa3 1889 devel optional flex_2.6.1-1.dsc
2644e6bd293ad29d0f24d280a033976b 994826 devel optional flex_2.6.1.orig.tar.gz
58b3c93f478318be5d2568462431a20e 31804 devel optional flex_2.6.1-1.diff.gz
68933e79be89c1b0c02d42675f45dc58 130840 debug extra flex-dbgsym_2.6.1-1_amd64.deb
c35736ac7da8ce808b607674107001a9 753756 doc optional flex-doc_2.6.1-1_all.deb
22ecd6a172b0c9fd5831e95eb9ee8772 428350 devel optional flex_2.6.1-1_amd64.deb
5bc44a92a414d34a8f2a81612d0f768a 2940 debug extra libfl-dev-dbgsym_2.6.1-1_amd64.deb
e9aff8fa43a60defc260a654343f7ccb 92492 libdevel optional libfl-dev_2.6.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQFuBAEBCgBYBQJXnnkhURSAAAAAABsALXNyaXZhc3RhQGdvbGRlbi1ncnlwaG9u
LmNvbUFCQTcxMDI1QTFCNUE4OEE0RTVGNjhDMjM2QkQ3MjBGNkY1NzY0NzJfMTY4
NgAKCRA2vXIPb1dkcjx/CADQ0bq+GfG/HxQjx98TTbqGcXWzuIIri6BVJYF8Lxym
va2IJNpl3Q0T33peS7NJ39F8BzuhxyV7K8FytByEgdyCKIt/BdnHR6fZlWAq8MqR
WO0bSsR3vyBJgj9Jhr5HGsljF18PmVVL5oBZwA3KLCO52OlXvpY7HyBPVKugHld1
bgSO+cH6m3c5vcL44x4VBjzniIkzQa0VWLI86aYScvT4DV9duCvbfLTiGK3Tm9Op
ZrKm3ydqS5vC0/xVn+qU78wFe4OwVIO1dqVQT1Hp1Tf8tOhzuSP+JSCdGxho5XbA
R/lwtKNu7znx9sDnPfEPsHcpNyushRjm76Rz3QLZful/
=AF5R
-----END PGP SIGNATURE-----
Marked as fixed in versions flex/2.5.39-8+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Aug 2016 04:18:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 23 Sep 2016 07:28:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:55:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon