Candidate: CVE-2016-6354 PublicDate: 2016-09-21 14:25:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 http://seclists.org/oss-sec/2016/q3/97 Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. Ubuntu-Description: Notes: mdeslaur> introduced in 2.5.36 by mdeslaur> https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399 sbeattie> redhat bug claims that it's not exploitable due to followup code sbeattie> also, simply replacing yy_size_t with int on num_to_read as in the upstream patch causes even more signed comparison warnings in flex generated sources; there's a comparison against a size_t variable in YY_INPUT for one. The "correct" fix for this likely includes the additional commit mentioned in the oss-security post. sbeattie> fixing will also require recompiling anything with generated code from the versions of flex in vivid through xenial. Bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832768 https://bugzilla.redhat.com/show_bug.cgi?id=1360743 Priority: low Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] Patches_flex: upstream: https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 upstream_flex: released (2.6.1) precise_flex: not-affected (2.5.35-10ubuntu3) precise/esm_flex: DNE (precise was not-affected [2.5.35-10ubuntu3]) trusty_flex: not-affected (2.5.35-10.1ubuntu2) trusty/esm_flex: DNE (trusty was not-affected [2.5.35-10.1ubuntu2]) vivid/stable-phone-overlay_flex: DNE vivid/ubuntu-core_flex: DNE wily_flex: ignored (reached end-of-life) xenial_flex: ignored (end of standard support, was needed) esm-infra/xenial_flex: needed yakkety_flex: not-affected (2.6.1-1) zesty_flex: not-affected (2.6.1-1) artful_flex: not-affected (2.6.1-1) bionic_flex: not-affected (2.6.1-1) cosmic_flex: not-affected (2.6.1-1) disco_flex: not-affected (2.6.1-1) eoan_flex: not-affected (2.6.1-1) focal_flex: not-affected (2.6.1-1) groovy_flex: not-affected (2.6.1-1) hirsute_flex: not-affected (2.6.1-1) impish_flex: not-affected (2.6.1-1) jammy_flex: not-affected (2.6.1-1) devel_flex: not-affected (2.6.1-1)