GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
bison vulnerability CVE-2020-14150 =>
bison new security issue CVE-2020-14150Source RPM:
Hi, thanks for reporting this.
Assigned to the package maintainer.
(Please set the status to 'assigned' if you are working on it)
Fixed upstream in 3.5.4
Updated package uploaded for Mageia 7.
Updated bison package fixes security vulnerability:
It was discovered that GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash) (CVE-2020-14150).
Updated packages in core/updates_testing:
Fixed upstream in 3.5.4 =>
$ uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
The following 3 packages are going to be installed:
- m4-1.4.18-2.mga7.x86_64The following 3 packages are going to be installed:
I found an example over at: http://fhoerni.free.fr/comp/bison_flex.html
I ran it through with the following command:
bison -d parser.y
it created a nice 47K c file and headers.
Works for me.
Validating. Advisory in Comment 3.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.