I have checked the patch into Mageia 5 SVN.

Assignee: bugsquad => shlomif

Fedora has issued an advisory for this on August 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KZDEYNSCYVEMOKRO6EJOUZS7WM5WB43M/

URL: (none) => http://lwn.net/Vulnerabilities/696808/

uploaded:

SRPMS:   flex-2.5.39-3.1.mga5

CC: (none) => mageia
Assignee: shlomif => qa-bugs

Nicolas, are we going to rebuild any of the affected packages that were built using the vulnerable flex?

Advisory:
========================

Updated flex packages fix security vulnerability:

It was found that flex incorrectly resized the num_to_read variable in
yy_get_next_buffer. The buffer is resized if this value is less or equal to
zero. With special crafted input it is possible, that the buffer is not resized
if the input is larger than the default buffer size of 16k. This allows a heap
buffer overflow. It may be possible to exploit this remotely, depending on the
application that is built using flex (CVE-2016-6354).

Note that any affected applications would need to be rebuilt with the updated
flex to fully fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KZDEYNSCYVEMOKRO6EJOUZS7WM5WB43M/
========================

Updated packages in core/updates_testing:
========================
flex-2.5.39-3.1.mga5

from flex-2.5.39-3.1.mga5.src.rpm

is it needed ?

(In reply to Nicolas Lécureuil from comment #5)
> is it needed ?

To actually fix the issue, it is, unfortunately.

$ urpmq --whatrequires flex|sort -u
dkms-libafs
flex
php-devel
task-c-devel

Are there other packages that have flex as a build requires, and if so, a way
to list them?

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Yeah the issue is really with ones that have it as a BuildRequires (although if it's being used for buliding, as is probably the case in dkms-libafs, that counts too).  I think the only way to get urpmq to show those is if the Sources repository is enabled.

You can also use the Sophie IRC bot:
:what r -s -d Mageia -r 5 flex

MGA5-32 on AcerD620 Xfce
No installation issues
Followed testcase as per flex tutorial http://alumni.cs.ucr.edu/~lgao/teaching/flex.html
So, downloaded it's sample1.lex file and it CLI
$ flex sample1.lex -- this created the lex.yy.c file
$ gcc lex.yy.c -lfl -- results in a.out file
$ ./a.out -- first line herafter is my input, second line is output
username
tester5
terminate with Ctrl-D

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Testing M5-64 real h/w
Using the two miniscripts from :-
 http://alumni.cs.ucr.edu/~lgao/teaching/flex/sample1.lex
 http://alumni.cs.ucr.edu/~lgao/teaching/flex/sample2.lex
and doing for each one, following their instructions:
 $ flex sample[1|2].lex
 $ gcc lex.yy.c -lfl
 $ ./a.out

Sample1 is slightly enigmatic:
I/P: the literal string 'username', NOT your username.
O/P: your Unix username.
^D to end.

Sample2: just type anything, multiple lines. End with ^D yields e.g.
# of lines = 3, # of chars = 94

BEFORE the update: flex-2.5.39-3.mga5
 Both tests work.

AFTER update: flex-2.5.39-3.1.mga5
 Same.

The update is OK. Validating. Thanks Herman for the lead link. I shall add the two scripts as an attachment for future use.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Created attachment 8692 [details]
2 little flex scripts

Both scripts tell how to deploy them; end with ^D .
sample1 : input literal 'username', it returns your actual Unix username.
sample2 : type anything on several lines, after ^D it outputs line/char counts.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0396.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED