Bug 1026047 - VUL-0: flex,flex-old: buffer overflow issues fixed in 2.6.2 and 2.6.3
VUL-0: flex,flex-old: buffer overflow issues fixed in 2.6.2 and 2.6.3
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Michal Marek
Security Team bot
https://smash.suse.de/issue/171375/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-19 19:07 UTC by Andreas Stieger
Modified: 2020-01-10 15:40 UTC (History)
18 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-02-19 19:07:01 UTC
bug #990856 handed items fixed in flex 2.6.1, here are some fixed later:

> * version 2.6.2 released 2016-10-24
> [...]
> *** prevented a buffer overflow that could occur when input buffers
> were the exact wrong size

https://github.com/westes/flex/commit/00bc43fa045008aa306ef07d4f5d018d91f233ed

>  cast and fix usage of log10(), ceil to prevent buffer overflow 

https://github.com/westes/flex/commit/babe9a1e8eeb5497756d4d7998dd1ca82c62a189

>  Fix potential buffer overflow in strncat()
> 
> When using clang/llvm 3.8 to compile flex, the following warning is
> emitted:
> 
> main.c:378:27: warning: the value of the size argument in 'strncat' is too large, might lead to a buffer overflow [-Wstrncat-size]
>                                         strncat(m4_path, m4, sizeof(m4_path));
>                                                              ^~~~~~~~~~~~~~~
> main.c:378:27: note: change the argument to be the free space in the destination buffer minus the terminating null byte
>                                         strncat(m4_path, m4, sizeof(m4_path));
>                                                              ^~~~~~~~~~~~~~~
>                                                              sizeof(m4_path) - strlen(m4_path) - 1

> Fix it up by using the solution proposed by the warning message.

Further:

> * version 2.6.3 released 2016-12-30
> [...]
> *** If the path to m4 was sufficiently long, a buffer overflow could
>     occur. This has been resolved. The fix also removes dependence on
>     the constant PATH_MAX.

https://github.com/westes/flex/commit/7975c43384d766ca12cb3f292754dbdc34168886

>  scanner: allocate correct buffer size for m4 path.
> 
> Flex did not check the length of the m4 path which could lead to a
> buffer overflow in some cases. Additionally, not all platforms believe
> in PATH_MAX, so stop relying on it.

Issue for this is https://github.com/westes/flex/issues/138
Comment 1 Swamp Workflow Management 2017-02-19 23:00:17 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2017-02-28 16:33:01 UTC
https://github.com/westes/flex/commit/00bc43fa045008aa306ef07d4f5d018d91f233ed

can be caused during converting a ".l" file, not in the generated parser as far as I see.

I see passing in a malicious .l file as non problem, as these files also contain C code that is built later on.

=> not a security violation

and the other issues are around "m4" called by flex during processing .l files. 

https://github.com/westes/flex/commit/babe9a1e8eeb5497756d4d7998dd1ca82c62a189

While the warning is correct, there are checks before that verify the size as far as I see.

Also this is coming via the "M4" environment variable passed into a flex instance.

WHere you could just put your own "m4" wrapper code to execute code. 

=> not a security violation on the other 3.

I do not consider these security issues, they will not have impact on generated parsers.
Comment 3 Michal Marek 2017-03-01 15:14:56 UTC
Right, this is a buffer overflow in flex itself, not the generated scanners.
Comment 4 Bernhard Wiedemann 2017-06-29 12:00:43 UTC
This is an autogenerated message for OBS integration:
This bug (1026047) was mentioned in
https://build.opensuse.org/request/show/507031 Factory / flex
Comment 5 Bernhard Wiedemann 2017-07-03 12:01:34 UTC
This is an autogenerated message for OBS integration:
This bug (1026047) was mentioned in
https://build.opensuse.org/request/show/507762 Factory / flex
Comment 7 Swamp Workflow Management 2020-01-10 14:16:34 UTC
SUSE-RU-2020:0062-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1026047,1160201
CVE References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    flex-2.6.4-9.3.1
SUSE OpenStack Cloud 8 (src):    flex-2.6.4-9.3.1
SUSE OpenStack Cloud 7 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    flex-2.6.4-9.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    flex-2.6.4-9.3.1
SUSE Enterprise Storage 5 (src):    flex-2.6.4-9.3.1
HPE Helion Openstack 8 (src):    flex-2.6.4-9.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.