Bug 1190019 (CVE-2020-18974)

Summary: VUL-1: CVE-2020-18974: nasm: buffer overflow in crc64i() nasmlib/crc64.c
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Michael Vetter <mvetter>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: amajer, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/308327/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-18974:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: nasm-factory.log
nasm-SLE15.log

Description Gabriele Sonnu 2021-08-31 14:46:26 UTC
Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers to cause a denial of service via 'crc64i' in the component 'nasmlib/crc64'. This issue is different than CVE-2019-7147.

Reference:
https://bugzilla.nasm.us/show_bug.cgi?id=3392568

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1998315
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-18974
https://bugzilla.nasm.us/show_bug.cgi?id=3392568
Comment 1 Gabriele Sonnu 2021-08-31 14:48:19 UTC
We currently ship these packages:

- SUSE:SLE-15:Update/nasm  2.14.02
- openSUSE:Factory/nasm    2.15.05

No upstream patch is available. 

Upstream issue and reproducer:
https://bugzilla.nasm.us/show_bug.cgi?id=3392568

I couldn't reproduce the issue. Running the poc with an ASAN-enabled build of nasm produces different output:

- SUSE:SLE-15:Update: heap-use-after-free
- openSUSE:Factory: some memory leaks

I have attached the execution log for both the openSUSE and SLE-15 package.

Could you please double check?
Comment 2 Gabriele Sonnu 2021-08-31 14:48:46 UTC
Created attachment 852191 [details]
nasm-factory.log
Comment 3 Gabriele Sonnu 2021-08-31 14:49:14 UTC
Created attachment 852192 [details]
nasm-SLE15.log