https://bugzilla.redhat.com/show_bug.cgi?id=1663908
Bug ID: 1663908 Summary: CVE-2018-20538 nasm: Use-after-free at asm/preproc.c resulting in a denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=low,public=20181118,reported=20181228,source=cv e,cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A :L,cwe=CWE-416,fedora-all/nasm=affected,rhel-5/nasm=ne w,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: dominik@greysector.net, java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com, nickc@redhat.com Target Milestone: --- Classification: Other
A use-after-free vulnerability was found in nasm. A specially crafted file could cause the application to crash.
Upstream issue:
https://bugzilla.nasm.us/show_bug.cgi?id=3392531
https://bugzilla.redhat.com/show_bug.cgi?id=1663908
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1663909
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created nasm tracking bugs for this issue:
Affects: fedora-all [bug 1663909]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1663909 [Bug 1663909] CVE-2018-1000886 CVE-2018-20535 CVE-2018-20538 nasm: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1663908
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1663910
https://bugzilla.redhat.com/show_bug.cgi?id=1663908
Nick Clifton nickc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
--- Comment #2 from Nick Clifton nickc@redhat.com --- Setting devel cond NAK - waiting on upstream fix.
https://bugzilla.redhat.com/show_bug.cgi?id=1663908
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20181118, |impact=low,public=20181118, |reported=20181228,source=cv |reported=20181228,source=cv |e,cvss3=3.3/CVSS:3.0/AV:L/A |e,cvss3=3.3/CVSS:3.0/AV:L/A |C:L/PR:N/UI:R/S:U/C:N/I:N/A |C:L/PR:N/UI:R/S:U/C:N/I:N/A |:L,cwe=CWE-416,fedora-all/n |:L,cwe=CWE-416,fedora-all/n |asm=affected,rhel-5/nasm=ne |asm=affected,rhel-5/nasm=no |w,rhel-6/nasm=new,rhel-7/na |taffected,rhel-6/nasm=wontf |sm=new,rhel-8/nasm=new |ix,rhel-7/nasm=affected,rhe | |l-8/nasm=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1663908
--- Comment #3 from Scott Gayou sgayou@redhat.com --- Similar valgrind output as compared to ASAN:
``` ==12467== Memcheck, a memory error detector ==12467== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==12467== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==12467== Command: nasm -f bin attachment.cgi?id=411689 -o xxx ==12467== ==12467== Conditional jump or move depends on uninitialised value(s) ==12467== at 0x42FD4E: tokenize (preproc.c:1006) ==12467== by 0x434189: pp_getline (preproc.c:4969) ==12467== by 0x4046E3: assemble_file.constprop.3 (nasm.c:1222) ==12467== by 0x402D02: main (nasm.c:463) ==12467== ==12467== Conditional jump or move depends on uninitialised value(s) ==12467== at 0x42FBA1: tokenize (preproc.c:900) ==12467== by 0x434189: pp_getline (preproc.c:4969) ==12467== by 0x4046E3: assemble_file.constprop.3 (nasm.c:1222) ==12467== by 0x402D02: main (nasm.c:463) ==12467== attachment.cgi?id=411689:15: error: label or instruction expected at start of line attachment.cgi?id=411689:16: error: attempt to define a local label before any non-local labels attachment.cgi?id=411689:18: error: parser: instruction expected attachment.cgi?id=411689:18: error: parser: instruction expected attachment.cgi?id=411689:18: error: label or instruction expected at start of line ==12467== Invalid read of size 4 ==12467== at 0x4346C5: pp_getline (preproc.c:4957) ==12467== by 0x4046E3: assemble_file.constprop.3 (nasm.c:1222) ==12467== by 0x402D02: main (nasm.c:463) ```
Looks valid.
https://bugzilla.redhat.com/show_bug.cgi?id=1663908
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1677018, 1677017
https://bugzilla.redhat.com/show_bug.cgi?id=1663908 Bug 1663908 depends on bug 1663909, which changed state.
Bug 1663909 Summary: CVE-2018-1000886 CVE-2018-20535 CVE-2018-20538 nasm: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1663909
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org