Bug 990856 - (CVE-2016-6354) VUL-1: CVE-2016-6354: flex,flex-old: buffer overflow in generated code (yy_get_next_buffer)
(CVE-2016-6354)
VUL-1: CVE-2016-6354: flex,flex-old: buffer overflow in generated code (yy_ge...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171375/
CVSSv2:RedHat:CVE-2016-6354:2.6:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-27 12:51 UTC by Andreas Stieger
Modified: 2021-11-16 11:41 UTC (History)
18 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
SLE12 packages with a copy of the buggy scanner (4.41 KB, text/plain)
2016-08-04 14:43 UTC, Michal Marek
Details
SLE12 packages which buildrequire flex (11.04 KB, text/plain)
2016-08-04 14:44 UTC, Michal Marek
Details
SLE12 packages with a copy of the buggy scanner - sorted (4.27 KB, text/plain)
2016-08-04 15:45 UTC, Michal Marek
Details
SLE12 packages which buildrequire flex - sorted (9.96 KB, text/plain)
2016-08-04 15:45 UTC, Michal Marek
Details
postgresql94: Rebuild all flex scanners (1.23 KB, patch)
2016-11-09 14:37 UTC, Michal Marek
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-27 12:51:41 UTC
http://seclists.org/oss-sec/2016/q3/163

    flex upstream change some integer type in 2.5.36[1] to unsigned integer
    types (size_t). Especially the num_to_read variable in
    yy_get_next_buffer is critical, because the buffer is resized if this
    value is _less_ or equal to zero.

    With special crafted input it is possible, that the buffer is not
    resized if the input is larger than the default buffer size of 16k. This
    allows a heap buffer overflow.

    It may be also remote usable, it depends on the software that is build
    using flex. We noticed for example, that bogofilter segfaults sometimes
    depending on the incoming mail.

    Upstream already noticed that this may be a problem[2] but did not
    escalate it as a security issue.


Use CVE-2016-6354 for this num_to_read issue.


    Upstream also changed some other type
    back from size_t to int (for example in [3]) so maybe it is not
    sufficient to only change num_to_read back to int.

    The upstream fix is contained in 2.6.1, but there are more integer type
    fixes in the master branch of flex (currently not in a released
    version).

    As the issue is in the generated code during compile time, it is not
    sufficient to fix flex, but all binaries using flex as build-dependency
    may need a rebuild after fixing flex. Additionally there may be packages,
    that supply the generated source in the release-tar and do not use flex
    during building.


    1: https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399
    2: https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
    3: https://github.com/westes/flex/commit/7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457


As far as we know, there has not been any discussion specifically
showing that there is a security issue associated with any of the
changes other than the num_to_read change. Accordingly, there are no
other CVE IDs at this time.

7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457 refers to "sf 184, 187" - in other words,

  https://sourceforge.net/p/flex/bugs/184/
  https://sourceforge.net/p/flex/bugs/187/

Among the concerns cited is "POSIX mandates that yyleng has type int,
but flex defines it as yy_size_t. This breaks programs that use the
POSIX-compatible declaration." The MITRE CVE team has not been
studying 7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457 or the mentioned
master-branch commits - the only point is that integer types sometimes
need to be changed without a security-related motivation.




References:
https://bugzilla.redhat.com/show_bug.cgi?id=1360743
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6354
http://seclists.org/oss-sec/2016/q3/163
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6354.html
Comment 1 Andreas Stieger 2016-07-27 12:53:35 UTC
Introduced in 2.5.36
Only SUSE:SLE-12:Update/flex would be affected.
Comment 2 Michal Marek 2016-07-27 13:34:22 UTC
I will backport the fix. However, packages that buildrequire flex need to be reviewed and, if they use the lexer to process untrusted input, updated as well. Plus there can be package sources with shipped lexers built with the broken flex version.
Comment 3 Swamp Workflow Management 2016-07-27 22:00:28 UTC
bugbot adjusting priority
Comment 4 Michal Marek 2016-08-04 12:55:52 UTC
The fixed package is in home:michal-m:branches:SUSE:SLE-12:Update/flex, now I need to find out which flex users are affected.
Comment 5 Michal Marek 2016-08-04 14:43:43 UTC
Created attachment 686846 [details]
SLE12 packages with a copy of the buggy scanner

Most if not all occurences are harmless, because a flex scanner is often used to read configuration files or source code. But they need to be reviewed.
Comment 6 Michal Marek 2016-08-04 14:44:37 UTC
Created attachment 686848 [details]
SLE12 packages which buildrequire flex

Same as above, plus some of the packages might not even use flex during build.
Comment 7 Michal Marek 2016-08-04 15:45:16 UTC
Created attachment 686866 [details]
SLE12 packages with a copy of the buggy scanner - sorted
Comment 8 Michal Marek 2016-08-04 15:45:46 UTC
Created attachment 686868 [details]
SLE12 packages which buildrequire flex - sorted
Comment 9 Michal Marek 2016-08-04 15:57:10 UTC
./mozilla/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c:			yy_size_t num_to_read =
./mozilla/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp:			yy_size_t num_to_read =
./mozilla/gfx/angle/src/compiler/translator/glslang_lex.cpp:			yy_size_t num_to_read =

Petr, is this firefox code processing any untrusted data? TL;DR: There was a version of flex which produced buggy scanners, and firefox has three such scanners in its sources.
Comment 10 Michal Marek 2016-08-04 16:11:59 UTC
binutils-2.25.0/binutils/deflex.c: dlltool program not used on Windows targets
binutils-2.25.0/binutils/arlex.c: ar -M <script> parser
./binutils-2.25.0/binutils/syslex.c: build-time helper
binutils-2.25.0/gas/bfin-lex.c: gas
binutils-2.25.0/gas/itbl-lex.c: gas
binutils-2.25.0/ld/ldlex.c: ld

so binutils is harmless.
Comment 11 Michal Marek 2016-08-04 16:16:03 UTC
bison and doxygen process source code, so harmless as well.

bogofilter-1.2.4/src/lexer_v3.c parses email messages and is even mentioned in the original report as vulnerable. Adding Lars. TL;DR, we need the equivalent of https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 to be applied to the shipped scanner.
Comment 12 Michal Marek 2016-08-04 17:14:29 UTC
elfutils-0.158/libcpu/i386_lex.c: build-time helper
elfutils-0.158/src/ldlex.c: eu-ld
-> harmless

flex processes flex sources ;-) and is patched
-> harmless

gimp-2.8.10/plug-ins/imagemap/imap_ncsa_lex.c
gimp-2.8.10/plug-ins/imagemap/imap_cern_lex.c
gimp-2.8.10/plug-ins/imagemap/imap_csim_lex.c
This is the imagemap plugin reading back the various formats it produces. I guess this is harmless (these are NOT image data).
-> harmless

gmp-5.1.3/demos/calc/calclex.c: demo
-> harmless

gob2-2.0.20/src/lexer.c: This is a C code generator that reads other source files
-> harmless

gobject-introspection-1.38.0/scannerlexer.c: Reads some XML API description
-> harmless

gutenprint-5.2.10/src/testpattern/testpatternl.c: This reads some proprietary text format and produces test patterns for printers
gutenprint-5.2.10/src/gutenprintui2/printrcl.c: Parses ~/.gutenprintrc
-> harmless
Comment 13 Michal Marek 2016-08-04 21:54:55 UTC
intel-gpu-tools-1.5/assembler/lex.c: Assembler for some Intel GPUs
-> harmless

kbd-1.15.5/src/loadkeys.analyze.c: lexer for loadkeys
-> harmless

lasem-0.4.1/itex2mml/lex.yy.c: A LaTeX to MathML converter
-> harmless

webkit-qtwebkit-23/Source/ThirdParty/ANGLE/src/compiler/preprocessor/new/Tokenizer.cpp
webkit-qtwebkit-23/Source/ThirdParty/ANGLE/src/compiler/glslang_lex.cpp
Again this "angle" thing, same as MozillaFirefox
-> needs investigation

libcgroup-0.41.rc1/src/lex.c: Config parser
-> harmless

libguestfs-1.26.9/builder/index-scan.c: config parser (virt-builder index file)
-> harmless

qtwebkit-opensource-src-5.5.1/Source/ThirdParty/ANGLE/src/compiler/*: Another copy of "angle"
-> needs investigation

sip-4.15.4/sipgen/lexer.c: Parses an API description
-> harmless

texlive-20130620-source/utils/asymptote/lex.yy.cc: Parses some vector graphics language, but can be considered "source code parser"
texlive-20130620-source/utils/xindy/xindy-2.4/tex2xindy/tex2xindy.l: LaTeX .idx index parser
texlive-20130620-source/texk/lacheck/lacheck-1.26/lacheck.l: LaTeX parser
texlive-20130620-source/texk/web2c/omegafonts/pl-lexer.c: Some font language parser
texlive-20130620-source/texk/web2c/otps/otp-lexer.c: Parser for some character set translation language
texlive-20130620-source/texk/web2c/web2c/web2c-lexer.c: parser for web2c
texlive-20130620-source/texk/detex/detex-2.8/detex.c: Another TeX parser
-> mostly harmless

vala-0.22.1/gobject-introspection/scannerlexer.c: Copy of gobject-introspection
-> harmless

webkitgtk-2.4.8/Source/ThirdParty/ANGLE/src/compiler/preprocessor/Tokenizer.cpp: ANGLE again
-> needs investigation

xorg-server-1.15.2/hw/dmx/config/scanner.c: config parser
xorg-server-1.15.2/hw/xwin/winprefslex.c: config parser, not built
-> harmless
Comment 14 Michal Marek 2016-08-04 21:58:06 UTC
So from the first list, we have
- bogomips, which needs to be fixed
- copies of ANGLe in MozillaFirefox, libQtWebKit4, libqt5-qtwebkit and
  webkitgtk, which need to be investigated
Comment 15 Michal Marek 2016-08-05 09:04:54 UTC
(In reply to Michal Marek from comment #14)
> - bogomips, which needs to be fixed
    ^ bogofilter
Comment 16 Petr Cerny 2016-08-05 11:14:11 UTC
(In reply to Michal Marek from comment #9)
> ./mozilla/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c:			yy_size_t
> num_to_read =
> ./mozilla/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp:			yy_size_t
> num_to_read =
> ./mozilla/gfx/angle/src/compiler/translator/glslang_lex.cpp:			yy_size_t
> num_to_read =
> 
> Petr, is this firefox code processing any untrusted data? TL;DR: There was a
> version of flex which produced buggy scanners, and firefox has three such
> scanners in its sources.

TL;DR: I can't rule that out.

I have no idea. Sphinx is a speech recognition engine, so it might as well be processing audio coming from the outside.

Angle is a graphics abstraction library - I *suppose* it might be processing unsanitized data at some point (we all know how well people tend to perform sanitization on average, don't we).

That said, for angle there is a parser generator script, for libsphinx I suppose we could do that too. It will need to be sorted out with upstream (or upstream's upstream) though - I can ask Mozilla security team later in the afternoon.

sec-team: should I try re-generate the above listed files for the 45.3.0 update (which I have queued for submission later today)?
Comment 17 Petr Cerny 2016-08-05 12:54:31 UTC
After discussing with Michal, I'm patching FF 45.3.0.

Also reported to Mozilla as https://bugzilla.mozilla.org/show_bug.cgi?id=1292534
Comment 18 Petr Cerny 2016-08-05 16:09:24 UTC
ccing Wolfgang for openSUSE Mozilla packages
Comment 19 Bernhard Wiedemann 2016-08-08 10:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/417437 Factory / seamonkey
Comment 20 Swamp Workflow Management 2016-08-12 19:12:32 UTC
SUSE-SU-2016:2061-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 983549,983638,983639,983643,983646,983651,983652,983653,983655,984006,985659,989196,990628,990856,991809
CVE References: CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2828,CVE-2016-2830,CVE-2016-2831,CVE-2016-2834,CVE-2016-2835,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    MozillaFirefox-45.3.0esr-48.1, MozillaFirefox-branding-SLED-45.0-20.38, firefox-fontconfig-2.11.0-4.2, mozilla-nspr-4.12-25.2, mozilla-nss-3.21.1-26.2
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    MozillaFirefox-45.3.0esr-48.1, firefox-fontconfig-2.11.0-4.2, mozilla-nspr-4.12-25.2, mozilla-nss-3.21.1-26.2
Comment 21 Swamp Workflow Management 2016-08-16 08:22:49 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-08-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62955
Comment 23 Michal Marek 2016-08-18 12:15:29 UTC
(In reply to Michal Marek from comment #14)
> So from the first list, we have
> - bogomips, which needs to be fixed
> - copies of ANGLe in MozillaFirefox, libQtWebKit4, libqt5-qtwebkit and
>   webkitgtk, which need to be investigated

Adding maintainers to CC/NEEDINFO.

Some more findings: libQtWebKit4 and libqt5-qtwebkit regenerate the lexer during build. So it is just a matter of rebuilding the packages with the fixed flex. I can bundle them into the submissions.

webkitgtk installs flex into the chroot, but it does not regenerate Source/ThirdParty/ANGLE/src/compiler/preprocessor/Tokenizer.cpp. So please either fix the Makefile or patch the generated file.

bogofilter's ./configure checks for flex, which is not present. So the solution might be as simple as adding flex to buildrequires.
Comment 24 Michal Marek 2016-08-18 13:03:36 UTC
Second list:
Mesa BuildRequires flex, but it looks like it's not using it and compiles the shipped lexers.
-> harmless

acpica: Lexer for the iASL compiler
-> harmless

aide: Lexer for the configuration files and database
-> harmless

mod_nss: Lexer for parser of expressions in the config
-> harmless

apache2_mod_python: Parser of the PSP pages. This could be a problem, however, it is not regenerated:
  [   31s] make[2]: Entering directory '/home/abuild/rpmbuild/BUILD/mod_python-3.5.0/src'
[   31s] make[2]: 'psp_parser.c' is up to date.

apparmor: SCanner for the audit log. This should be OK, since the path length is limited. There is also a configuration parser.
-> harmless

at: Parses user-supplied timespec and is setuid.
-> We should update it (adding maintainer to CC).

autofs: Configuration parser
-> harmless

automake: Parses source code
-> harmless
Comment 25 Swamp Workflow Management 2016-08-22 06:32:39 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-08-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62976
Comment 26 Bernhard Wiedemann 2016-08-22 08:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/420965 42.2 / MozillaFirefox
https://build.opensuse.org/request/show/420967 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/420968 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/420969 13.1 / MozillaFirefox
Comment 27 Swamp Workflow Management 2016-08-22 18:09:57 UTC
SUSE-SU-2016:2131-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 989196,990628,990856,991809
CVE References: CVE-2016-2830,CVE-2016-2835,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-45.3.0esr-78.1
SUSE Linux Enterprise Server for SAP 12 (src):    MozillaFirefox-45.3.0esr-78.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-45.3.0esr-78.1
SUSE Linux Enterprise Server 12-LTSS (src):    MozillaFirefox-45.3.0esr-78.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-45.3.0esr-78.1
Comment 28 Kristyna Streitova 2016-08-24 14:11:39 UTC
(In reply to Michal Marek from comment #24)
> at: Parses user-supplied timespec and is setuid.
> -> We should update it (adding maintainer to CC).

I verified that if 'at' is built against fixed flex from Michal's branch, "yy_size_t num_to_read" is correctly fixed to "int num_to_read".
Comment 29 Michal Marek 2016-08-25 13:05:38 UTC
babeltrace: parser of the ctf (http://diamon.org/ctf/) metadata
-> probably harmless

bc: calculator
-> harmless

binutils: handled in the first list
-> harmless

bison: handled in the first list
-> harmless

bluez: does not use flex at all
-> harmless

cfengine: configuration (promises) parser
-> harmless

checkpolicy: Uses flex-old
-> harmless

conntrack-tools: configuration parser
-> harmless

crash: ADA expression parser in the bundled gdb, not even built
-> harmless

cscope: C source parser
-> harmless

csync2: configuration parser
-> harmless

cyrus-imapd: sieve script and email address parser, both can be from untrusted sources
-> we should update it
Comment 30 Michal Marek 2016-08-25 16:51:15 UTC
dovecot22: does not use flex at all
-> harmless

doxygen: handled in the first list
-> harmless

drbd: drbd configuration file and metadata parser
-> harmless

dtc: Source code (dts) parser
-> harmless

elfutils:  handled in the first list
-> harmless

eppic: C and C preprocessor parser
-> harmless

gcc33, gcc48
-> harmless

gdb: ADA expression parser
-> harmless

gfs2-utils: Used by an utility (gfs2l) which is not installed
-> harmless

gob2: handled in the first list
-> harmless

gobject-introspection: handled in the first list
-> harmless

graphviz: Parsers of the dot and gml formats
-> harmless

grub2: Grub configuration file and commandline parser. This should be OK, because with password protection, only superusers can edit the commandline
-> harmless

gstreamer-0_10, gstreamer: Commandline syntax parser
-> harmless
Comment 31 Michal Marek 2016-08-25 21:53:43 UTC
hwinfo: Parser of database files of ISDN . Ahem.
-> harmless

icmake: a parser of alternative makefiles
-> harmless

iproute2: parser for 'tc filter add ...' syntax
-> harmless

ipsec-tools: several uses of flex:
  - src/racoon/prsa_tok.l: parser of ipsec.secrets RSA keys
  - src/racoon/cftoken.l: configuration parser
  - src/libipsec/policy_token.l: policy parser
  - src/setkey/token.l: configuration parser
-> harmless

isapnp: configuration parser
-> harmless
Comment 32 Michal Marek 2016-08-26 15:37:19 UTC
java-cup, jflex
-> false positives

kbd: keymap parser
-> harmless

kdelibs4: khtml/css/tokenizer.flex takes CSS files as input, so potentially dangerous. There are two more uses of flex
-> we should update it

ksh: Does not use flex
-> harmless

libQtWebKit4: handled in the first list
-> needs investigation

libXaw3d: Parser for the Layout widget
-> harmless

libbonobo: parser for the activation server protocol, unclear. Gnome-maintainers please advise
-> needs investigation

libcgroup: handled in the first
-> harmless
libcmpiutil: Parser for libcmpiutil CIM Managed Object Format (MOF) files
-> hopefully harmless
Comment 33 Michael Gorse 2016-08-26 22:23:38 UTC
(In reply to Michal Marek from comment #32)

> libbonobo: parser for the activation server protocol, unclear.
> Gnome-maintainers please advise

It's parsing a string received from the calling application, so potentially untrusted. I'd suggest updating. The tarball does not include the output from flex, so we would just need to grab the rebuilt package.
Comment 34 Swamp Workflow Management 2016-08-27 17:09:07 UTC
openSUSE-SU-2016:2167-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 990856,992236
CVE References: CVE-2016-6354
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-48.0.1-122.3, mozilla-nss-3.24-88.1
Comment 35 Swamp Workflow Management 2016-08-29 15:08:48 UTC
openSUSE-SU-2016:2182-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 990856,992236
CVE References: CVE-2016-6354
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-48.0.1-30.6, mozilla-nss-3.24-26.2
openSUSE 13.2 (src):    MozillaFirefox-48.0.1-77.4, mozilla-nss-3.24-43.1
Comment 36 Michal Marek 2016-08-30 15:02:02 UTC
(In reply to Michael Gorse from comment #33)
> (In reply to Michal Marek from comment #32)
> 
> > libbonobo: parser for the activation server protocol, unclear.
> > Gnome-maintainers please advise
> 
> It's parsing a string received from the calling application, so potentially
> untrusted. I'd suggest updating. The tarball does not include the output
> from flex, so we would just need to grab the rebuilt package.

Thanks for the response. I will add libbonobo to the submission.
Comment 37 Michal Marek 2016-08-30 15:55:13 UTC
libconfig: Library for parsing config files
-> harmless

libcue: Parser of CUE sheets (https://en.wikipedia.org/wiki/Cue_sheet_%28computing%29)
-> hopefully harmless

libevtlog: Does not use flex at all
-> harmless

libgda: Does not use flex at all
-> harmless

libgnomeprint: Print filter parser
-> harmless

libguestfs: Handled in the first list
-> harmless

libidl: Parser of CORBA Interface Definition Language (IDL) files.
-> harmless

libnl: Netlink protocol library. Parser for /etc/libnl/pktloc and for packet maching xyntax
-> harmless

libpcap: pcap filter syntax parser
-> harmless

libpt2: Does not use flex at all. Has a lexer for an ASN.1 parser tool, but it is not built
-> harmless

libqt5-qtwebkit: Handled in the first list
-> should be updated

libreoffice: OMG.
  - connectivity/source/parse/sqlflex.l: Parser for SQL hopefully entered by
    user (but then possibly shared with other users)
  - l10ntools/source/*.l: Seems to be a tool for translators of libreoffice
  - idlc/source/scanner.l: UNO IDL compiler, a build-time tool
  - unoidl/source/sourceprovider-scanner.l: Same..?
-> We should probably updated due to the sql parser. However, libreoffice is updated regularly, so I think I can skip it and it will pick up the fixed flex eventually

libsemanage: configuration parser
-> harmless
Comment 38 Swamp Workflow Management 2016-08-30 17:10:27 UTC
SUSE-SU-2016:2195-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 989196,990628,990856,991809
CVE References: CVE-2016-2830,CVE-2016-2835,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354
Sources used:
SUSE OpenStack Cloud 5 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Manager Proxy 2.1 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Manager 2.1 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-45.3.0esr-50.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-45.3.0esr-50.1
Comment 39 Michal Marek 2016-08-31 13:02:17 UTC
libsmi: Parsers for MIB files (https://en.wikipedia.org/wiki/Management_information_base)
-> harmless

libxkbcommon: Does not use flex at all
-> harmless

libyajl: Does not use flex at all
-> harmless

linux-atm: Configuration parsers
-> harmless

llvm: Does not use flex at all
-> harmless

man: We do not have setuid man / mandb anymore
-> harmless

mdbtools: SQL parser in a library for accessing MS Access files. Unclear
-> we should update it

mipv6d: Configuration parser
-> harmless

motif: parser of motif.wml and a lexer reading the yacc parser :)
-> harmless
Comment 40 Michal Marek 2016-08-31 15:29:15 UTC
netpbm: thinkjettopbm parser
-> we should update it

novell-ipsec-tools: Copy of ipsec-tools
-> harmless

open-iscsi: /proc/device-tree parser
-> harmless

open-lldp: dcbtooL commandline parser
-> harmless

openCryptoki: config parsers
-> harmless

openslp:
 - common/slp_filter_l.l: LDAP filter sytax parser, this is OK
 - common/slp_attr_l.l: SLP attributes parser, this is potentially untrusted
-> we should update it

opensm: policy file parser
-> harmless
Comment 41 Michal Marek 2016-09-01 15:37:07 UTC
pacemaker: Config parser
-> harmless

pam: build helper and a config parser (pam_conv1) which is not installed either
-> harmless

pam_pkcs11: configuration parser
-> harmless

pcp
 - src/pmlc/lex.l: Commandline syntax parser
 - src/dbpmda/src/lex.l: interactive command syntax parser
 - src/pmlogextract/lex.l: Parser of performance log files created by other pcp
                           tools, hopefully OK
 - src/pmlogger/lex.l: Configuration parser
 - src/pmlogrewrite/lex.l: Configuration parser
 - src/pmdas/hotproc/src/lex.l: Configuration parser

perf: Configuration and commandline syntax parser
-> harmless

 -
Comment 42 Swamp Workflow Management 2016-09-06 22:08:58 UTC
openSUSE-SU-2016:2253-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 990856,991809
CVE References: CVE-2016-2830,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-45.3.0-9.1
Comment 43 Swamp Workflow Management 2016-09-06 22:09:44 UTC
openSUSE-SU-2016:2254-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 990856,991809
CVE References: CVE-2016-2830,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354
Sources used:
openSUSE Leap 42.1 (src):    MozillaThunderbird-45.3.0-19.2
openSUSE 13.2 (src):    MozillaThunderbird-45.3.0-46.2
Comment 44 Michal Marek 2016-09-07 07:48:11 UTC
plotutils: Mathematical expression parser
-> harmless

ppc64-diag: Event/message catalog parsers
-> harmless

pwlib: Does not use flex at all
-> harmless

qdox: false positive
-> harmless
Comment 45 Michal Marek 2016-09-07 11:28:58 UTC
radvd: radvd.conf parser
-> harmless

rasqal: SPARQL parser, no idea. The library is also used by libreoffice. However, the Makefile does not rebuild the lexer by default and uses a canned lexer that does not have this bug
-> harmless

rdist: Does not use flex at all
-> harmless

rsyslog: Configuration parser
-> harmless

sblim-cmpi-dns: Configuration parsers
-> harmless

sblim-cmpi-nfsv3: Configuration parsers
-> harmless

sblim-cmpi-nfsv4: Configuration parsers
-> harmless

sblim-sfcb: CIM XML parser and CIM MOF parser. The CIM XML parser is possibly problematic, but the Makefile does not rebuild the lexer and the canned lexer is not vulnerable
-> harmless

sblim-smis-hba: Does not use flex at all
-> harmless

sensors: configuration parser
-> harmless

setools: Policy file parser
-> harmless

sgmltool: sgml and RTF parser. The RTF parser (rtf2rtf) is possibly problematic, I guess
-> we should update it

squidGuard: configuration parser
-> harmless

strongswan: configuration parser
-> harmless

syslog-ng: configuration parser
-> harmless

texlive: handled in the first list
-> harmless

vala: handled in the first list
-> harmless

virtuoso: Lots of parsers and it's a multi-purpose server (database, web, etc)
-> we should update it
Comment 46 Michal Marek 2016-09-07 13:00:17 UTC
webkitgtk: handled in the first list
-> we should update it

wireshark: Lots of parsers, better update
-> we should update it

xbsql: client-side SQL parser
-> harmless

xen:
 - tools/firmware/seabios-dir-remote/tools/kconfig/zconf.l: Copy of kernel kconfig
 - xen-4.4.1-testing/tools/libxl/libxlu_disk_l.l: Disk specification syntax parser
 - xen-4.4.1-testing/tools/libxl/libxlu_cfg_l.l: Configuration parser
-> harmless

xfig: does not use flex at all
-> harmless

xindy: See texlive
-> harmless

xmlto: xmlif(1) parser, hopefully OK
-> harmless

xorg-x11-server: Handled in the first list
-> harmless

xsupplicant: configuration parser
-> harmless

yast2-code: Parser of the YCP language. It even accepts German keywords like "Wiederkehr", "falls" or "sonstwas", LOL
-> harmless

yast2-*: Other yast2 packages do not use flex at all
-> harmless

yodl: Does not use flex at all
-> harmless
Comment 47 Michal Marek 2016-09-07 13:49:33 UTC
The affected packages are building in home:michal-m:branches:SUSE:SLE-12:Update:flex. I had to patch bogofilter to buildrequire flex and actually rebuild the parser. There may be more cases like this, I'm checking now. I skipped MozillaFirefox, which has already been handled by Petr, and libreoffice, which I assume will be sooner or later updated for other reasons.
Comment 48 Michal Marek 2016-09-07 14:15:38 UTC
Some packages fail to build with the patched flex. *sigh*
Comment 49 Michal Marek 2016-09-07 15:15:06 UTC
The devel project of SUSE:SLE-12:Update/webkitgtk points to Devel:Desktop:SLE12:SP2/webkitgtk, but Devel:Desktop:SLE12:SP2/webkitgtk does not build in a SUSE:SLE-12:Update build environment (configure: error: Package requirements (geoclue) were not met). I'll leave this up to gnome-maintainers to update the package.
Comment 50 Michal Marek 2016-09-07 15:29:16 UTC
The sgmltool failure is a big ironic. It has its own extern declaration of yyleng:

extern int yyleng;

And a patch changes it to size_t to compile with flex, which declared yyleng with a wrong type (cf https://sourceforge.net/p/flex/bugs/187/). Now I backported 7a7c3dfe1bcb ("Fix more integer types, resolves sf 184, 187"), which fixes the declaration and the patched sgmltool fails. However, looking at the patch, it really only seems to be a POSIX conformance fix and not a security issue. So I will err on the side of compatibility with the SLE12 GA package and revert the patch again.
Comment 51 Michal Marek 2016-09-09 14:28:21 UTC
libQtWebKit4 rebuilds the scanners, but it leaves copies of the shipped (and buggy) scanners intact. So this package is fine.
Comment 52 Michal Marek 2016-09-09 14:56:20 UTC
Same for libqt5-qtwebkit. It's the same source code copy after all.
Comment 53 Michal Marek 2016-09-09 15:10:14 UTC
I fixed flex and the dependent packages finally (mr#120927). Most packages only required a rebuild with no source changes, in such cases, I added an entry to the .changes file:

-------------------------------------------------------------------
Fri Sep  9 14:56:59 UTC 2016 - mmarek@suse.cz

- Rebuild with a fixed flex package to fix a buffer overflow
  (bsc#990856, CVE-2016-6354).

I skipped two packages: libreoffice, because I believe it has its own update schedule (please correct me if I'm wrong) and webkitgtk, for which the devel project does not provide a buildable package. Plus, Firefox has already been released.
Comment 55 Swamp Workflow Management 2016-09-25 10:11:34 UTC
openSUSE-SU-2016:2378-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 990856,991809
CVE References: CVE-2016-2830,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354
Sources used:
openSUSE 13.1 (src):    MozillaThunderbird-45.3.0-70.86.1
Comment 56 Swamp Workflow Management 2016-09-27 17:16:14 UTC
SUSE-SU-2016:2397-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 954210,990856
CVE References: CVE-2015-8079,CVE-2016-6354
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    bogofilter-1.2.4-5.3
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    flex-2.5.37-8.1, libQtWebKit4-4.8.6+2.3.3-3.1, libbonobo-2.32.1-16.1, mdbtools-0.7-5.1, netpbm-10.66.3-4.1, openslp-2.0.0-11.1, sgmltool-1.0.9-1075.1
SUSE Linux Enterprise Server 12-SP1 (src):    at-3.1.14-7.3, cyrus-imapd-2.3.18-40.1, flex-2.5.37-8.1, kdelibs4-4.12.0-7.3, libQtWebKit4-4.8.6+2.3.3-3.1, libbonobo-2.32.1-16.1, netpbm-10.66.3-4.1, openslp-2.0.0-11.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    at-3.1.14-7.3, bogofilter-1.2.4-5.3, kdelibs4-4.12.0-7.3, libQtWebKit4-4.8.6+2.3.3-3.1, libbonobo-2.32.1-16.1, netpbm-10.66.3-4.1, openslp-2.0.0-11.1
Comment 58 Michal Marek 2016-09-30 11:12:25 UTC
SLES 11 is not affected.
Comment 59 Michal Marek 2016-09-30 11:23:40 UTC
There could be updated SLE11 packages with a vulnerable version of the scanner, checking.
Comment 60 Michal Marek 2016-10-01 20:27:30 UTC
In /work/SRC/SUSE:SLE-11*, I see

binutils -> harmless

doxygen -> harmless

firefox -> already updated

gecode -> unknown, the SLE12 does not have the vulnerable scanner

libcgroup -> harmless

postgresql -> unknown, there is also a SLE12 update package which I missed

wireshark -> Needs to be fixed. The fix should be simply a 'find -name '*.l' | xargs touch' (hopefully the flex 2.5.29 -> 2.5.35 downgrade won't cause issues)
Comment 64 Swamp Workflow Management 2016-10-04 15:10:57 UTC
openSUSE-SU-2016:2450-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 990856
CVE References: CVE-2016-6354
Sources used:
openSUSE Leap 42.1 (src):    at-3.1.14-9.2, flex-2.5.37-11.1, libbonobo-2.32.1-19.1, netpbm-10.66.3-6.1, openslp-2.0.0-14.1, sgmltool-1.0.9-1078.1, virtuoso-6.1.6-13.1
Comment 66 Michal Marek 2016-11-04 15:30:41 UTC
SLE11 gecode contains a parser of zinc / minizinc (http://www.minizinc.org/)
-> harmless
Comment 67 Michal Marek 2016-11-09 14:37:33 UTC
Created attachment 701287 [details]
postgresql94: Rebuild all flex scanners
Comment 68 Michal Marek 2016-11-09 14:38:37 UTC
The SLE12 and SLE11 postgresqp94 packages need the above patch, to rebuild the vulnerable scanners shipped with the source. In SLE11, there is a risk that the scanner won't work with the older flex version there (2.5.35 vs. 2.5.39), but hopefully the testsuite has good coverage.
Comment 69 Michal Marek 2016-11-09 15:32:38 UTC
Likewise, the SLE11 wireshark.spec needs to run

find -name '*.l' | xargs touch

at the end of %prep, like the SLE12 package does. After the build, none of the flex scanners shall contain "yy_size_t num_to_read".
Comment 70 Michal Marek 2016-11-09 20:46:01 UTC
Adding also the wireshark maintainer to NEEDINFO.
Comment 71 Lingshan Zhu 2016-11-10 09:18:26 UTC
I will integrate this fix if PM want wireshark updated to 2.xxx version in SLE11
Comment 72 Swamp Workflow Management 2017-02-01 23:11:19 UTC
openSUSE-SU-2017:0356-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1017174,1021636,984637,990856
CVE References: CVE-2016-6354
Sources used:
openSUSE Leap 42.2 (src):    seamonkey-2.46-9.2
openSUSE Leap 42.1 (src):    seamonkey-2.46-9.2
Comment 73 Swamp Workflow Management 2017-05-30 16:13:16 UTC
SUSE-SU-2017:1442-1: An update that solves 24 vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1002981,1010735,1010740,1010752,1010754,1010911,1021739,1025913,1026507,1027692,1027998,1033936,1033937,1033938,1033939,1033940,1033941,1033942,1033943,1033944,1033945,990856,998761,998762,998763,998800,998963,998964
CVE References: CVE-2016-6354,CVE-2016-7175,CVE-2016-7176,CVE-2016-7177,CVE-2016-7178,CVE-2016-7179,CVE-2016-7180,CVE-2016-9373,CVE-2016-9374,CVE-2016-9375,CVE-2016-9376,CVE-2017-5596,CVE-2017-5597,CVE-2017-6014,CVE-2017-7700,CVE-2017-7701,CVE-2017-7702,CVE-2017-7703,CVE-2017-7704,CVE-2017-7705,CVE-2017-7745,CVE-2017-7746,CVE-2017-7747,CVE-2017-7748
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    wireshark-2.2.6-44.3
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    wireshark-2.2.6-44.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    wireshark-2.2.6-44.3
SUSE Linux Enterprise Server 12-SP2 (src):    wireshark-2.2.6-44.3
SUSE Linux Enterprise Server 12-SP1 (src):    wireshark-2.2.6-44.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    wireshark-2.2.6-44.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    wireshark-2.2.6-44.3
Comment 74 Swamp Workflow Management 2018-10-13 16:00:59 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/641836 42.3 / wireshark
Comment 77 Alexandros Toptsoglou 2020-05-12 14:35:12 UTC
Done
Comment 79 Alexandros Toptsoglou 2020-07-10 15:03:04 UTC
Done
Comment 80 OBSbugzilla Bot 2021-07-08 07:30:44 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/904702 15.3 / seamonkey
Comment 81 OBSbugzilla Bot 2021-07-22 12:30:45 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/907731 15.3 / seamonkey
Comment 82 OBSbugzilla Bot 2021-08-26 17:40:45 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/914429 15.3 / seamonkey
Comment 83 OBSbugzilla Bot 2021-09-28 18:40:50 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/922046 15.3 / seamonkey
Comment 84 OBSbugzilla Bot 2021-11-16 11:41:07 UTC
This is an autogenerated message for OBS integration:
This bug (990856) was mentioned in
https://build.opensuse.org/request/show/931737 15.3 / seamonkey