https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Bug ID: 1677636 Summary: CVE-2019-8343 nasm: use-after-free in paste_tokens in asm/preproc.c Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190214,reported=20190215,sou rce=cve,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H /I:H/A:H,cwe=CWE-416,fedora-all/nasm=affected,rhel-5/n asm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=ne w Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: dominik@greysector.net, i.gnatenko.brain@gmail.com, java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com, nickc@redhat.com Target Milestone: --- Classification: Other
In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c.
Reference: https://bugzilla.nasm.us/show_bug.cgi?id=3392556
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1677637
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created nasm tracking bugs for this issue:
Affects: fedora-all [bug 1677637]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1677637 [Bug 1677637] CVE-2019-8343 nasm: use-after-free in paste_tokens in asm/preproc.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1677638
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |medium Whiteboard|impact=important,public=201 |impact=moderate,public=2019 |90214,reported=20190215,sou |0214,reported=20190215,sour |rce=cve,cvss3=7.8/CVSS:3.0/ |ce=cve,cvss3=7.3/CVSS:3.0/A |AV:L/AC:L/PR:L/UI:N/S:U/C:H |V:L/AC:L/PR:L/UI:R/S:U/C:H/ |/I:H/A:H,cwe=CWE-416,fedora |I:H/A:H,cwe=CWE-416,fedora- |-all/nasm=affected,rhel-5/n |all/nasm=affected,rhel-5/na |asm=new,rhel-6/nasm=new,rhe |sm=notaffected,rhel-6/nasm= |l-7/nasm=new,rhel-8/nasm=ne |wontfix,rhel-7/nasm=affecte |w |d,rhel-8/nasm=affected Severity|high |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Paul Dwyer pdwyer@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pdwyer@redhat.com, | |security-response-team@redh | |at.com Flags| |needinfo?(security-response | |-team@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dmoppert@redhat.com, | |scorneli@redhat.com Flags| |needinfo?(scorneli@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Whiteboard|impact=moderate,public=2019 |impact=low,public=20190214, |0214,reported=20190215,sour |reported=20190215,source=cv |ce=cve,cvss3=7.3/CVSS:3.0/A |e,cvss3=7.3/CVSS:3.0/AV:L/A |V:L/AC:L/PR:L/UI:R/S:U/C:H/ |C:L/PR:L/UI:R/S:U/C:H/I:H/A |I:H/A:H,cwe=CWE-416,fedora- |:H,cwe=CWE-416,fedora-all/n |all/nasm=affected,rhel-5/na |asm=affected,rhel-5/nasm=no |sm=notaffected,rhel-6/nasm= |taffected,rhel-6/nasm=wontf |wontfix,rhel-7/nasm=affecte |ix,rhel-7/nasm=affected,rhe |d,rhel-8/nasm=affected |l-8/nasm=affected Severity|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
--- Comment #6 from Stefan Cornelius scorneli@redhat.com --- Statement:
This issue affects the versions of nasm as shipped with Red Hat Enterprise Linux 6 and 7.
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue did not affect the versions of nasm as shipped with Red Hat Enterprise Linux 5.
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1700346, 1700347
https://bugzilla.redhat.com/show_bug.cgi?id=1677636
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response | |-team@redhat.com) | |needinfo?(scorneli@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1677636 Bug 1677636 depends on bug 1677637, which changed state.
Bug 1677637 Summary: CVE-2019-8343 nasm: use-after-free in paste_tokens in asm/preproc.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1677637
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org