CVE-2016-6354

Priority
Description
Heap-based buffer overflow in the yy_get_next_buffer function in Flex
before 2.6.1 might allow context-dependent attackers to cause a denial of
service or possibly execute arbitrary code via vectors involving
num_to_read.
Notes
 mdeslaur> introduced in 2.5.36 by
 mdeslaur> https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399
 sbeattie> redhat bug claims that it's not exploitable due to followup code
 sbeattie> also, simply replacing yy_size_t with int on num_to_read as
  in the upstream patch causes even more signed comparison warnings in
  flex generated sources; there's a comparison against a size_t
  variable in YY_INPUT for one. The "correct" fix for this likely includes
  the additional commit mentioned in the oss-security post.
 sbeattie> fixing will also require recompiling anything with generated
  code from the versions of flex in vivid through xenial.
Package
Source: flex (LP Ubuntu Debian)
Upstream:released (2.6.1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [2.5.35-10ubuntu3])
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.5.35-10.1ubuntu2)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.6.1-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (2.6.1-1)
Ubuntu 19.04 (Disco Dingo):not-affected (2.6.1-1)
Patches:
Upstream:https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
More Information

Updated: 2019-01-14 21:19:49 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)