Bug 27730

Summary: bison new security issue CVE-2020-14150
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, mhrambo3501, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-14150
Whiteboard: MGA7-64-OK
Source RPM: bison-3.3.2-1.mga7.src.rpm CVE: CVE-2020-14150
Status comment:

Description Zombie Ryushu 2020-12-04 08:21:41 CET 
GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
Zombie Ryushu 2020-12-04 08:21:57 CET

CVE: (none) => CVE-2020-14150

Comment 1 David Walser 2020-12-04 13:27:25 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14150

Summary: bison vulnerability CVE-2020-14150 => bison new security issue CVE-2020-14150
Source RPM: bison => bison-3.3.2-1.mga7.src.rpm

Comment 2 Aurelien Oudelet 2020-12-07 10:42:24 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => shlomif
CC: (none) => ouaurelien

David Walser 2020-12-27 23:48:11 CET

Assignee: shlomif => pkg-bugs
CC: (none) => luigiwalser

David Walser 2020-12-27 23:48:59 CET

CC: luigiwalser => (none)

David Walser 2020-12-28 19:08:20 CET

Status comment: (none) => Fixed upstream in 3.5.4

Comment 3 Mike Rambo 2020-12-30 04:41:21 CET 
Updated package uploaded for Mageia 7.

Advisory:
========================

Updated bison package fixes security vulnerability:

It was discovered that GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash) (CVE-2020-14150).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14150
========================

Updated packages in core/updates_testing:
========================
bison-3.5.4-1.mga7
lib64bison-static-devel-3.5.4-1.mga7

from bison-3.5.4-1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
CC: (none) => mrambo

David Walser 2020-12-30 12:09:26 CET

Status comment: Fixed upstream in 3.5.4 => (none)

Comment 4 Brian Rockwell 2021-01-09 22:56:51 CET 
$ uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

The following 3 packages are going to be installed:

- bison-3.5.4-1.mga7.x86_64
- lib64bison-static-devel-3.5.4-1.mga7.x86_64
- m4-1.4.18-2.mga7.x86_64The following 3 packages are going to be installed:

- bison-3.5.4-1.mga7.x86_64
- lib64bison-static-devel-3.5.4-1.mga7.x86_64
- m4-1.4.18-2.mga7.x86_64

---

installed fine

---

I found an example over at:  http://fhoerni.free.fr/comp/bison_flex.html

I ran it through with the following command:

bison -d parser.y

----

it created a nice 47K c file and headers.


Works for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 5 Thomas Andrews 2021-01-10 01:19:07 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-01-12 14:20:50 CET 
Advisory pushed to SVN.
Aurelien Oudelet 2021-01-12 14:20:58 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-14 16:14:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0023.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED