CVE-2016-6354

Priority
Description
Heap-based buffer overflow in the yy_get_next_buffer function in Flex
before 2.6.1 might allow context-dependent attackers to cause a denial of
service or possibly execute arbitrary code via vectors involving
num_to_read.
Notes
mdeslaurintroduced in 2.5.36 by
https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399
sbeattieredhat bug claims that it's not exploitable due to followup code
also, simply replacing yy_size_t with int on num_to_read as
in the upstream patch causes even more signed comparison warnings in
flex generated sources; there's a comparison against a size_t
variable in YY_INPUT for one. The "correct" fix for this likely includes
the additional commit mentioned in the oss-security post.
fixing will also require recompiling anything with generated
code from the versions of flex in vivid through xenial.
Package
Source: flex (LP Ubuntu Debian)
Upstream:released (2.6.1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [2.5.35-10ubuntu3])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [2.5.35-10.1ubuntu2])
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.6.1-1)
Ubuntu 19.10 (Eoan Ermine):not-affected (2.6.1-1)
Ubuntu 20.04 (Focal Fossa):not-affected (2.6.1-1)
Patches:
Upstream:https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
More Information

Updated: 2020-04-24 03:32:53 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)