Flex security update: RCE in generated code (CVE-2016-6354)

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Flex security update: RCE in generated code (CVE-2016-6354)

From:	Leo Famulari
Subject:	Flex security update: RCE in generated code (CVE-2016-6354)
Date:	Fri, 26 Aug 2016 18:14:26 -0400
User-agent:	Mutt/1.7.0 (2016-08-17)

There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:

http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354

Flex has moved to GitHub [0], and so the source code is served over
HTTPS.  Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.

In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.

[0]
https://sourceforge.net/p/flex/mailman/message/34913710/

0001-gnu-flex-Fix-CVE-2016-6354.patch
Description: Text document

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Flex security update: RCE in generated code (CVE-2016-6354), Leo Famulari <=
- Re: Flex security update: RCE in generated code (CVE-2016-6354), Leo Famulari, 2016/08/26
  - Re: Flex security update: RCE in generated code (CVE-2016-6354), Ludovic Courtès, 2016/08/27
    - Re: Flex security update: RCE in generated code (CVE-2016-6354), Leo Famulari, 2016/08/27
    - Re: Flex security update: RCE in generated code (CVE-2016-6354), Efraim Flashner, 2016/08/28

Prev by Date: [PATCH 27/31] gnu: Add kwallet.
Next by Date: Re: Flex security update: RCE in generated code (CVE-2016-6354)
Previous by thread: [PATCH 00/31] KDE Tier 3 Packages
Next by thread: Re: Flex security update: RCE in generated code (CVE-2016-6354)
Index(es):
- Date
- Thread