GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
CVE: (none) => CVE-2020-14150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14150
Summary: bison vulnerability CVE-2020-14150 => bison new security issue CVE-2020-14150Source RPM: bison => bison-3.3.2-1.mga7.src.rpm
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => shlomifCC: (none) => ouaurelien
Assignee: shlomif => pkg-bugsCC: (none) => luigiwalser
CC: luigiwalser => (none)
Status comment: (none) => Fixed upstream in 3.5.4
Updated package uploaded for Mageia 7. Advisory: ======================== Updated bison package fixes security vulnerability: It was discovered that GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash) (CVE-2020-14150). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14150 ======================== Updated packages in core/updates_testing: ======================== bison-3.5.4-1.mga7 lib64bison-static-devel-3.5.4-1.mga7 from bison-3.5.4-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsCC: (none) => mrambo
Status comment: Fixed upstream in 3.5.4 => (none)
$ uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 3 packages are going to be installed: - bison-3.5.4-1.mga7.x86_64 - lib64bison-static-devel-3.5.4-1.mga7.x86_64 - m4-1.4.18-2.mga7.x86_64The following 3 packages are going to be installed: - bison-3.5.4-1.mga7.x86_64 - lib64bison-static-devel-3.5.4-1.mga7.x86_64 - m4-1.4.18-2.mga7.x86_64 --- installed fine --- I found an example over at: http://fhoerni.free.fr/comp/bison_flex.html I ran it through with the following command: bison -d parser.y ---- it created a nice 47K c file and headers. Works for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0023.html
Status: NEW => RESOLVEDResolution: (none) => FIXED