A CVE has been assigned for an issue fixed in flex 2.6.1: http://openwall.com/lists/oss-security/2016/07/26/12 The fix was patch #2 linked in the message above. We already have 2.6.1 in Cauldron. However, it says that to fully fix this, software built with flex versions containing the bug may need to be rebuilt. We updated flex in Cauldron after the mass rebuild and there are a large number of packages that BR flex.
I have checked the patch into Mageia 5 SVN.
Assignee: bugsquad => shlomif
Fedora has issued an advisory for this on August 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KZDEYNSCYVEMOKRO6EJOUZS7WM5WB43M/
URL: (none) => http://lwn.net/Vulnerabilities/696808/
uploaded: SRPMS: flex-2.5.39-3.1.mga5
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Nicolas, are we going to rebuild any of the affected packages that were built using the vulnerable flex? Advisory: ======================== Updated flex packages fix security vulnerability: It was found that flex incorrectly resized the num_to_read variable in yy_get_next_buffer. The buffer is resized if this value is less or equal to zero. With special crafted input it is possible, that the buffer is not resized if the input is larger than the default buffer size of 16k. This allows a heap buffer overflow. It may be possible to exploit this remotely, depending on the application that is built using flex (CVE-2016-6354). Note that any affected applications would need to be rebuilt with the updated flex to fully fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KZDEYNSCYVEMOKRO6EJOUZS7WM5WB43M/ ======================== Updated packages in core/updates_testing: ======================== flex-2.5.39-3.1.mga5 from flex-2.5.39-3.1.mga5.src.rpm
is it needed ?
(In reply to Nicolas Lécureuil from comment #5) > is it needed ? To actually fix the issue, it is, unfortunately.
$ urpmq --whatrequires flex|sort -u dkms-libafs flex php-devel task-c-devel Are there other packages that have flex as a build requires, and if so, a way to list them?
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Yeah the issue is really with ones that have it as a BuildRequires (although if it's being used for buliding, as is probably the case in dkms-libafs, that counts too). I think the only way to get urpmq to show those is if the Sources repository is enabled. You can also use the Sophie IRC bot: :what r -s -d Mageia -r 5 flex
MGA5-32 on AcerD620 Xfce No installation issues Followed testcase as per flex tutorial http://alumni.cs.ucr.edu/~lgao/teaching/flex.html So, downloaded it's sample1.lex file and it CLI $ flex sample1.lex -- this created the lex.yy.c file $ gcc lex.yy.c -lfl -- results in a.out file $ ./a.out -- first line herafter is my input, second line is output username tester5 terminate with Ctrl-D
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Testing M5-64 real h/w Using the two miniscripts from :- http://alumni.cs.ucr.edu/~lgao/teaching/flex/sample1.lex http://alumni.cs.ucr.edu/~lgao/teaching/flex/sample2.lex and doing for each one, following their instructions: $ flex sample[1|2].lex $ gcc lex.yy.c -lfl $ ./a.out Sample1 is slightly enigmatic: I/P: the literal string 'username', NOT your username. O/P: your Unix username. ^D to end. Sample2: just type anything, multiple lines. End with ^D yields e.g. # of lines = 3, # of chars = 94 BEFORE the update: flex-2.5.39-3.mga5 Both tests work. AFTER update: flex-2.5.39-3.1.mga5 Same. The update is OK. Validating. Thanks Herman for the lead link. I shall add the two scripts as an attachment for future use.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Created attachment 8692 [details] 2 little flex scripts Both scripts tell how to deploy them; end with ^D . sample1 : input literal 'username', it returns your actual Unix username. sample2 : type anything on several lines, after ^D it outputs line/char counts.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0396.html
Status: NEW => RESOLVEDResolution: (none) => FIXED