Bugzilla – Bug 990856
VUL-1: CVE-2016-6354: flex,flex-old: buffer overflow in generated code (yy_get_next_buffer)
Last modified: 2021-11-16 11:41:07 UTC
http://seclists.org/oss-sec/2016/q3/163 flex upstream change some integer type in 2.5.36[1] to unsigned integer types (size_t). Especially the num_to_read variable in yy_get_next_buffer is critical, because the buffer is resized if this value is _less_ or equal to zero. With special crafted input it is possible, that the buffer is not resized if the input is larger than the default buffer size of 16k. This allows a heap buffer overflow. It may be also remote usable, it depends on the software that is build using flex. We noticed for example, that bogofilter segfaults sometimes depending on the incoming mail. Upstream already noticed that this may be a problem[2] but did not escalate it as a security issue. Use CVE-2016-6354 for this num_to_read issue. Upstream also changed some other type back from size_t to int (for example in [3]) so maybe it is not sufficient to only change num_to_read back to int. The upstream fix is contained in 2.6.1, but there are more integer type fixes in the master branch of flex (currently not in a released version). As the issue is in the generated code during compile time, it is not sufficient to fix flex, but all binaries using flex as build-dependency may need a rebuild after fixing flex. Additionally there may be packages, that supply the generated source in the release-tar and do not use flex during building. 1: https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399 2: https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 3: https://github.com/westes/flex/commit/7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457 As far as we know, there has not been any discussion specifically showing that there is a security issue associated with any of the changes other than the num_to_read change. Accordingly, there are no other CVE IDs at this time. 7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457 refers to "sf 184, 187" - in other words, https://sourceforge.net/p/flex/bugs/184/ https://sourceforge.net/p/flex/bugs/187/ Among the concerns cited is "POSIX mandates that yyleng has type int, but flex defines it as yy_size_t. This breaks programs that use the POSIX-compatible declaration." The MITRE CVE team has not been studying 7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457 or the mentioned master-branch commits - the only point is that integer types sometimes need to be changed without a security-related motivation. References: https://bugzilla.redhat.com/show_bug.cgi?id=1360743 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6354 http://seclists.org/oss-sec/2016/q3/163 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6354.html
Introduced in 2.5.36 Only SUSE:SLE-12:Update/flex would be affected.
I will backport the fix. However, packages that buildrequire flex need to be reviewed and, if they use the lexer to process untrusted input, updated as well. Plus there can be package sources with shipped lexers built with the broken flex version.
bugbot adjusting priority
The fixed package is in home:michal-m:branches:SUSE:SLE-12:Update/flex, now I need to find out which flex users are affected.
Created attachment 686846 [details] SLE12 packages with a copy of the buggy scanner Most if not all occurences are harmless, because a flex scanner is often used to read configuration files or source code. But they need to be reviewed.
Created attachment 686848 [details] SLE12 packages which buildrequire flex Same as above, plus some of the packages might not even use flex during build.
Created attachment 686866 [details] SLE12 packages with a copy of the buggy scanner - sorted
Created attachment 686868 [details] SLE12 packages which buildrequire flex - sorted
./mozilla/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c: yy_size_t num_to_read = ./mozilla/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp: yy_size_t num_to_read = ./mozilla/gfx/angle/src/compiler/translator/glslang_lex.cpp: yy_size_t num_to_read = Petr, is this firefox code processing any untrusted data? TL;DR: There was a version of flex which produced buggy scanners, and firefox has three such scanners in its sources.
binutils-2.25.0/binutils/deflex.c: dlltool program not used on Windows targets binutils-2.25.0/binutils/arlex.c: ar -M <script> parser ./binutils-2.25.0/binutils/syslex.c: build-time helper binutils-2.25.0/gas/bfin-lex.c: gas binutils-2.25.0/gas/itbl-lex.c: gas binutils-2.25.0/ld/ldlex.c: ld so binutils is harmless.
bison and doxygen process source code, so harmless as well. bogofilter-1.2.4/src/lexer_v3.c parses email messages and is even mentioned in the original report as vulnerable. Adding Lars. TL;DR, we need the equivalent of https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 to be applied to the shipped scanner.
elfutils-0.158/libcpu/i386_lex.c: build-time helper elfutils-0.158/src/ldlex.c: eu-ld -> harmless flex processes flex sources ;-) and is patched -> harmless gimp-2.8.10/plug-ins/imagemap/imap_ncsa_lex.c gimp-2.8.10/plug-ins/imagemap/imap_cern_lex.c gimp-2.8.10/plug-ins/imagemap/imap_csim_lex.c This is the imagemap plugin reading back the various formats it produces. I guess this is harmless (these are NOT image data). -> harmless gmp-5.1.3/demos/calc/calclex.c: demo -> harmless gob2-2.0.20/src/lexer.c: This is a C code generator that reads other source files -> harmless gobject-introspection-1.38.0/scannerlexer.c: Reads some XML API description -> harmless gutenprint-5.2.10/src/testpattern/testpatternl.c: This reads some proprietary text format and produces test patterns for printers gutenprint-5.2.10/src/gutenprintui2/printrcl.c: Parses ~/.gutenprintrc -> harmless
intel-gpu-tools-1.5/assembler/lex.c: Assembler for some Intel GPUs -> harmless kbd-1.15.5/src/loadkeys.analyze.c: lexer for loadkeys -> harmless lasem-0.4.1/itex2mml/lex.yy.c: A LaTeX to MathML converter -> harmless webkit-qtwebkit-23/Source/ThirdParty/ANGLE/src/compiler/preprocessor/new/Tokenizer.cpp webkit-qtwebkit-23/Source/ThirdParty/ANGLE/src/compiler/glslang_lex.cpp Again this "angle" thing, same as MozillaFirefox -> needs investigation libcgroup-0.41.rc1/src/lex.c: Config parser -> harmless libguestfs-1.26.9/builder/index-scan.c: config parser (virt-builder index file) -> harmless qtwebkit-opensource-src-5.5.1/Source/ThirdParty/ANGLE/src/compiler/*: Another copy of "angle" -> needs investigation sip-4.15.4/sipgen/lexer.c: Parses an API description -> harmless texlive-20130620-source/utils/asymptote/lex.yy.cc: Parses some vector graphics language, but can be considered "source code parser" texlive-20130620-source/utils/xindy/xindy-2.4/tex2xindy/tex2xindy.l: LaTeX .idx index parser texlive-20130620-source/texk/lacheck/lacheck-1.26/lacheck.l: LaTeX parser texlive-20130620-source/texk/web2c/omegafonts/pl-lexer.c: Some font language parser texlive-20130620-source/texk/web2c/otps/otp-lexer.c: Parser for some character set translation language texlive-20130620-source/texk/web2c/web2c/web2c-lexer.c: parser for web2c texlive-20130620-source/texk/detex/detex-2.8/detex.c: Another TeX parser -> mostly harmless vala-0.22.1/gobject-introspection/scannerlexer.c: Copy of gobject-introspection -> harmless webkitgtk-2.4.8/Source/ThirdParty/ANGLE/src/compiler/preprocessor/Tokenizer.cpp: ANGLE again -> needs investigation xorg-server-1.15.2/hw/dmx/config/scanner.c: config parser xorg-server-1.15.2/hw/xwin/winprefslex.c: config parser, not built -> harmless
So from the first list, we have - bogomips, which needs to be fixed - copies of ANGLe in MozillaFirefox, libQtWebKit4, libqt5-qtwebkit and webkitgtk, which need to be investigated
(In reply to Michal Marek from comment #14) > - bogomips, which needs to be fixed ^ bogofilter
(In reply to Michal Marek from comment #9) > ./mozilla/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c: yy_size_t > num_to_read = > ./mozilla/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp: yy_size_t > num_to_read = > ./mozilla/gfx/angle/src/compiler/translator/glslang_lex.cpp: yy_size_t > num_to_read = > > Petr, is this firefox code processing any untrusted data? TL;DR: There was a > version of flex which produced buggy scanners, and firefox has three such > scanners in its sources. TL;DR: I can't rule that out. I have no idea. Sphinx is a speech recognition engine, so it might as well be processing audio coming from the outside. Angle is a graphics abstraction library - I *suppose* it might be processing unsanitized data at some point (we all know how well people tend to perform sanitization on average, don't we). That said, for angle there is a parser generator script, for libsphinx I suppose we could do that too. It will need to be sorted out with upstream (or upstream's upstream) though - I can ask Mozilla security team later in the afternoon. sec-team: should I try re-generate the above listed files for the 45.3.0 update (which I have queued for submission later today)?
After discussing with Michal, I'm patching FF 45.3.0. Also reported to Mozilla as https://bugzilla.mozilla.org/show_bug.cgi?id=1292534
ccing Wolfgang for openSUSE Mozilla packages
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/417437 Factory / seamonkey
SUSE-SU-2016:2061-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 983549,983638,983639,983643,983646,983651,983652,983653,983655,984006,985659,989196,990628,990856,991809 CVE References: CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2828,CVE-2016-2830,CVE-2016-2831,CVE-2016-2834,CVE-2016-2835,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): MozillaFirefox-45.3.0esr-48.1, MozillaFirefox-branding-SLED-45.0-20.38, firefox-fontconfig-2.11.0-4.2, mozilla-nspr-4.12-25.2, mozilla-nss-3.21.1-26.2 SUSE Linux Enterprise Debuginfo 11-SP2 (src): MozillaFirefox-45.3.0esr-48.1, firefox-fontconfig-2.11.0-4.2, mozilla-nspr-4.12-25.2, mozilla-nss-3.21.1-26.2
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-08-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62955
(In reply to Michal Marek from comment #14) > So from the first list, we have > - bogomips, which needs to be fixed > - copies of ANGLe in MozillaFirefox, libQtWebKit4, libqt5-qtwebkit and > webkitgtk, which need to be investigated Adding maintainers to CC/NEEDINFO. Some more findings: libQtWebKit4 and libqt5-qtwebkit regenerate the lexer during build. So it is just a matter of rebuilding the packages with the fixed flex. I can bundle them into the submissions. webkitgtk installs flex into the chroot, but it does not regenerate Source/ThirdParty/ANGLE/src/compiler/preprocessor/Tokenizer.cpp. So please either fix the Makefile or patch the generated file. bogofilter's ./configure checks for flex, which is not present. So the solution might be as simple as adding flex to buildrequires.
Second list: Mesa BuildRequires flex, but it looks like it's not using it and compiles the shipped lexers. -> harmless acpica: Lexer for the iASL compiler -> harmless aide: Lexer for the configuration files and database -> harmless mod_nss: Lexer for parser of expressions in the config -> harmless apache2_mod_python: Parser of the PSP pages. This could be a problem, however, it is not regenerated: [ 31s] make[2]: Entering directory '/home/abuild/rpmbuild/BUILD/mod_python-3.5.0/src' [ 31s] make[2]: 'psp_parser.c' is up to date. apparmor: SCanner for the audit log. This should be OK, since the path length is limited. There is also a configuration parser. -> harmless at: Parses user-supplied timespec and is setuid. -> We should update it (adding maintainer to CC). autofs: Configuration parser -> harmless automake: Parses source code -> harmless
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-08-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62976
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/420965 42.2 / MozillaFirefox https://build.opensuse.org/request/show/420967 42.1 / MozillaFirefox https://build.opensuse.org/request/show/420968 13.2 / MozillaFirefox https://build.opensuse.org/request/show/420969 13.1 / MozillaFirefox
SUSE-SU-2016:2131-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 989196,990628,990856,991809 CVE References: CVE-2016-2830,CVE-2016-2835,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): MozillaFirefox-45.3.0esr-78.1 SUSE Linux Enterprise Server for SAP 12 (src): MozillaFirefox-45.3.0esr-78.1 SUSE Linux Enterprise Server 12-SP1 (src): MozillaFirefox-45.3.0esr-78.1 SUSE Linux Enterprise Server 12-LTSS (src): MozillaFirefox-45.3.0esr-78.1 SUSE Linux Enterprise Desktop 12-SP1 (src): MozillaFirefox-45.3.0esr-78.1
(In reply to Michal Marek from comment #24) > at: Parses user-supplied timespec and is setuid. > -> We should update it (adding maintainer to CC). I verified that if 'at' is built against fixed flex from Michal's branch, "yy_size_t num_to_read" is correctly fixed to "int num_to_read".
babeltrace: parser of the ctf (http://diamon.org/ctf/) metadata -> probably harmless bc: calculator -> harmless binutils: handled in the first list -> harmless bison: handled in the first list -> harmless bluez: does not use flex at all -> harmless cfengine: configuration (promises) parser -> harmless checkpolicy: Uses flex-old -> harmless conntrack-tools: configuration parser -> harmless crash: ADA expression parser in the bundled gdb, not even built -> harmless cscope: C source parser -> harmless csync2: configuration parser -> harmless cyrus-imapd: sieve script and email address parser, both can be from untrusted sources -> we should update it
dovecot22: does not use flex at all -> harmless doxygen: handled in the first list -> harmless drbd: drbd configuration file and metadata parser -> harmless dtc: Source code (dts) parser -> harmless elfutils: handled in the first list -> harmless eppic: C and C preprocessor parser -> harmless gcc33, gcc48 -> harmless gdb: ADA expression parser -> harmless gfs2-utils: Used by an utility (gfs2l) which is not installed -> harmless gob2: handled in the first list -> harmless gobject-introspection: handled in the first list -> harmless graphviz: Parsers of the dot and gml formats -> harmless grub2: Grub configuration file and commandline parser. This should be OK, because with password protection, only superusers can edit the commandline -> harmless gstreamer-0_10, gstreamer: Commandline syntax parser -> harmless
hwinfo: Parser of database files of ISDN . Ahem. -> harmless icmake: a parser of alternative makefiles -> harmless iproute2: parser for 'tc filter add ...' syntax -> harmless ipsec-tools: several uses of flex: - src/racoon/prsa_tok.l: parser of ipsec.secrets RSA keys - src/racoon/cftoken.l: configuration parser - src/libipsec/policy_token.l: policy parser - src/setkey/token.l: configuration parser -> harmless isapnp: configuration parser -> harmless
java-cup, jflex -> false positives kbd: keymap parser -> harmless kdelibs4: khtml/css/tokenizer.flex takes CSS files as input, so potentially dangerous. There are two more uses of flex -> we should update it ksh: Does not use flex -> harmless libQtWebKit4: handled in the first list -> needs investigation libXaw3d: Parser for the Layout widget -> harmless libbonobo: parser for the activation server protocol, unclear. Gnome-maintainers please advise -> needs investigation libcgroup: handled in the first -> harmless libcmpiutil: Parser for libcmpiutil CIM Managed Object Format (MOF) files -> hopefully harmless
(In reply to Michal Marek from comment #32) > libbonobo: parser for the activation server protocol, unclear. > Gnome-maintainers please advise It's parsing a string received from the calling application, so potentially untrusted. I'd suggest updating. The tarball does not include the output from flex, so we would just need to grab the rebuilt package.
openSUSE-SU-2016:2167-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 990856,992236 CVE References: CVE-2016-6354 Sources used: openSUSE 13.1 (src): MozillaFirefox-48.0.1-122.3, mozilla-nss-3.24-88.1
openSUSE-SU-2016:2182-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 990856,992236 CVE References: CVE-2016-6354 Sources used: openSUSE Leap 42.1 (src): MozillaFirefox-48.0.1-30.6, mozilla-nss-3.24-26.2 openSUSE 13.2 (src): MozillaFirefox-48.0.1-77.4, mozilla-nss-3.24-43.1
(In reply to Michael Gorse from comment #33) > (In reply to Michal Marek from comment #32) > > > libbonobo: parser for the activation server protocol, unclear. > > Gnome-maintainers please advise > > It's parsing a string received from the calling application, so potentially > untrusted. I'd suggest updating. The tarball does not include the output > from flex, so we would just need to grab the rebuilt package. Thanks for the response. I will add libbonobo to the submission.
libconfig: Library for parsing config files -> harmless libcue: Parser of CUE sheets (https://en.wikipedia.org/wiki/Cue_sheet_%28computing%29) -> hopefully harmless libevtlog: Does not use flex at all -> harmless libgda: Does not use flex at all -> harmless libgnomeprint: Print filter parser -> harmless libguestfs: Handled in the first list -> harmless libidl: Parser of CORBA Interface Definition Language (IDL) files. -> harmless libnl: Netlink protocol library. Parser for /etc/libnl/pktloc and for packet maching xyntax -> harmless libpcap: pcap filter syntax parser -> harmless libpt2: Does not use flex at all. Has a lexer for an ASN.1 parser tool, but it is not built -> harmless libqt5-qtwebkit: Handled in the first list -> should be updated libreoffice: OMG. - connectivity/source/parse/sqlflex.l: Parser for SQL hopefully entered by user (but then possibly shared with other users) - l10ntools/source/*.l: Seems to be a tool for translators of libreoffice - idlc/source/scanner.l: UNO IDL compiler, a build-time tool - unoidl/source/sourceprovider-scanner.l: Same..? -> We should probably updated due to the sql parser. However, libreoffice is updated regularly, so I think I can skip it and it will pick up the fixed flex eventually libsemanage: configuration parser -> harmless
SUSE-SU-2016:2195-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 989196,990628,990856,991809 CVE References: CVE-2016-2830,CVE-2016-2835,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354 Sources used: SUSE OpenStack Cloud 5 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Manager Proxy 2.1 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Manager 2.1 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Linux Enterprise Server 11-SP4 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): MozillaFirefox-45.3.0esr-50.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): MozillaFirefox-45.3.0esr-50.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): MozillaFirefox-45.3.0esr-50.1
libsmi: Parsers for MIB files (https://en.wikipedia.org/wiki/Management_information_base) -> harmless libxkbcommon: Does not use flex at all -> harmless libyajl: Does not use flex at all -> harmless linux-atm: Configuration parsers -> harmless llvm: Does not use flex at all -> harmless man: We do not have setuid man / mandb anymore -> harmless mdbtools: SQL parser in a library for accessing MS Access files. Unclear -> we should update it mipv6d: Configuration parser -> harmless motif: parser of motif.wml and a lexer reading the yacc parser :) -> harmless
netpbm: thinkjettopbm parser -> we should update it novell-ipsec-tools: Copy of ipsec-tools -> harmless open-iscsi: /proc/device-tree parser -> harmless open-lldp: dcbtooL commandline parser -> harmless openCryptoki: config parsers -> harmless openslp: - common/slp_filter_l.l: LDAP filter sytax parser, this is OK - common/slp_attr_l.l: SLP attributes parser, this is potentially untrusted -> we should update it opensm: policy file parser -> harmless
pacemaker: Config parser -> harmless pam: build helper and a config parser (pam_conv1) which is not installed either -> harmless pam_pkcs11: configuration parser -> harmless pcp - src/pmlc/lex.l: Commandline syntax parser - src/dbpmda/src/lex.l: interactive command syntax parser - src/pmlogextract/lex.l: Parser of performance log files created by other pcp tools, hopefully OK - src/pmlogger/lex.l: Configuration parser - src/pmlogrewrite/lex.l: Configuration parser - src/pmdas/hotproc/src/lex.l: Configuration parser perf: Configuration and commandline syntax parser -> harmless -
openSUSE-SU-2016:2253-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 990856,991809 CVE References: CVE-2016-2830,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): MozillaThunderbird-45.3.0-9.1
openSUSE-SU-2016:2254-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 990856,991809 CVE References: CVE-2016-2830,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354 Sources used: openSUSE Leap 42.1 (src): MozillaThunderbird-45.3.0-19.2 openSUSE 13.2 (src): MozillaThunderbird-45.3.0-46.2
plotutils: Mathematical expression parser -> harmless ppc64-diag: Event/message catalog parsers -> harmless pwlib: Does not use flex at all -> harmless qdox: false positive -> harmless
radvd: radvd.conf parser -> harmless rasqal: SPARQL parser, no idea. The library is also used by libreoffice. However, the Makefile does not rebuild the lexer by default and uses a canned lexer that does not have this bug -> harmless rdist: Does not use flex at all -> harmless rsyslog: Configuration parser -> harmless sblim-cmpi-dns: Configuration parsers -> harmless sblim-cmpi-nfsv3: Configuration parsers -> harmless sblim-cmpi-nfsv4: Configuration parsers -> harmless sblim-sfcb: CIM XML parser and CIM MOF parser. The CIM XML parser is possibly problematic, but the Makefile does not rebuild the lexer and the canned lexer is not vulnerable -> harmless sblim-smis-hba: Does not use flex at all -> harmless sensors: configuration parser -> harmless setools: Policy file parser -> harmless sgmltool: sgml and RTF parser. The RTF parser (rtf2rtf) is possibly problematic, I guess -> we should update it squidGuard: configuration parser -> harmless strongswan: configuration parser -> harmless syslog-ng: configuration parser -> harmless texlive: handled in the first list -> harmless vala: handled in the first list -> harmless virtuoso: Lots of parsers and it's a multi-purpose server (database, web, etc) -> we should update it
webkitgtk: handled in the first list -> we should update it wireshark: Lots of parsers, better update -> we should update it xbsql: client-side SQL parser -> harmless xen: - tools/firmware/seabios-dir-remote/tools/kconfig/zconf.l: Copy of kernel kconfig - xen-4.4.1-testing/tools/libxl/libxlu_disk_l.l: Disk specification syntax parser - xen-4.4.1-testing/tools/libxl/libxlu_cfg_l.l: Configuration parser -> harmless xfig: does not use flex at all -> harmless xindy: See texlive -> harmless xmlto: xmlif(1) parser, hopefully OK -> harmless xorg-x11-server: Handled in the first list -> harmless xsupplicant: configuration parser -> harmless yast2-code: Parser of the YCP language. It even accepts German keywords like "Wiederkehr", "falls" or "sonstwas", LOL -> harmless yast2-*: Other yast2 packages do not use flex at all -> harmless yodl: Does not use flex at all -> harmless
The affected packages are building in home:michal-m:branches:SUSE:SLE-12:Update:flex. I had to patch bogofilter to buildrequire flex and actually rebuild the parser. There may be more cases like this, I'm checking now. I skipped MozillaFirefox, which has already been handled by Petr, and libreoffice, which I assume will be sooner or later updated for other reasons.
Some packages fail to build with the patched flex. *sigh*
The devel project of SUSE:SLE-12:Update/webkitgtk points to Devel:Desktop:SLE12:SP2/webkitgtk, but Devel:Desktop:SLE12:SP2/webkitgtk does not build in a SUSE:SLE-12:Update build environment (configure: error: Package requirements (geoclue) were not met). I'll leave this up to gnome-maintainers to update the package.
The sgmltool failure is a big ironic. It has its own extern declaration of yyleng: extern int yyleng; And a patch changes it to size_t to compile with flex, which declared yyleng with a wrong type (cf https://sourceforge.net/p/flex/bugs/187/). Now I backported 7a7c3dfe1bcb ("Fix more integer types, resolves sf 184, 187"), which fixes the declaration and the patched sgmltool fails. However, looking at the patch, it really only seems to be a POSIX conformance fix and not a security issue. So I will err on the side of compatibility with the SLE12 GA package and revert the patch again.
libQtWebKit4 rebuilds the scanners, but it leaves copies of the shipped (and buggy) scanners intact. So this package is fine.
Same for libqt5-qtwebkit. It's the same source code copy after all.
I fixed flex and the dependent packages finally (mr#120927). Most packages only required a rebuild with no source changes, in such cases, I added an entry to the .changes file: ------------------------------------------------------------------- Fri Sep 9 14:56:59 UTC 2016 - mmarek@suse.cz - Rebuild with a fixed flex package to fix a buffer overflow (bsc#990856, CVE-2016-6354). I skipped two packages: libreoffice, because I believe it has its own update schedule (please correct me if I'm wrong) and webkitgtk, for which the devel project does not provide a buildable package. Plus, Firefox has already been released.
openSUSE-SU-2016:2378-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 990856,991809 CVE References: CVE-2016-2830,CVE-2016-2836,CVE-2016-2837,CVE-2016-2838,CVE-2016-2839,CVE-2016-5252,CVE-2016-5254,CVE-2016-5258,CVE-2016-5259,CVE-2016-5262,CVE-2016-5263,CVE-2016-5264,CVE-2016-5265,CVE-2016-6354 Sources used: openSUSE 13.1 (src): MozillaThunderbird-45.3.0-70.86.1
SUSE-SU-2016:2397-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 954210,990856 CVE References: CVE-2015-8079,CVE-2016-6354 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): bogofilter-1.2.4-5.3 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): flex-2.5.37-8.1, libQtWebKit4-4.8.6+2.3.3-3.1, libbonobo-2.32.1-16.1, mdbtools-0.7-5.1, netpbm-10.66.3-4.1, openslp-2.0.0-11.1, sgmltool-1.0.9-1075.1 SUSE Linux Enterprise Server 12-SP1 (src): at-3.1.14-7.3, cyrus-imapd-2.3.18-40.1, flex-2.5.37-8.1, kdelibs4-4.12.0-7.3, libQtWebKit4-4.8.6+2.3.3-3.1, libbonobo-2.32.1-16.1, netpbm-10.66.3-4.1, openslp-2.0.0-11.1 SUSE Linux Enterprise Desktop 12-SP1 (src): at-3.1.14-7.3, bogofilter-1.2.4-5.3, kdelibs4-4.12.0-7.3, libQtWebKit4-4.8.6+2.3.3-3.1, libbonobo-2.32.1-16.1, netpbm-10.66.3-4.1, openslp-2.0.0-11.1
SLES 11 is not affected.
There could be updated SLE11 packages with a vulnerable version of the scanner, checking.
In /work/SRC/SUSE:SLE-11*, I see binutils -> harmless doxygen -> harmless firefox -> already updated gecode -> unknown, the SLE12 does not have the vulnerable scanner libcgroup -> harmless postgresql -> unknown, there is also a SLE12 update package which I missed wireshark -> Needs to be fixed. The fix should be simply a 'find -name '*.l' | xargs touch' (hopefully the flex 2.5.29 -> 2.5.35 downgrade won't cause issues)
openSUSE-SU-2016:2450-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 990856 CVE References: CVE-2016-6354 Sources used: openSUSE Leap 42.1 (src): at-3.1.14-9.2, flex-2.5.37-11.1, libbonobo-2.32.1-19.1, netpbm-10.66.3-6.1, openslp-2.0.0-14.1, sgmltool-1.0.9-1078.1, virtuoso-6.1.6-13.1
SLE11 gecode contains a parser of zinc / minizinc (http://www.minizinc.org/) -> harmless
Created attachment 701287 [details] postgresql94: Rebuild all flex scanners
The SLE12 and SLE11 postgresqp94 packages need the above patch, to rebuild the vulnerable scanners shipped with the source. In SLE11, there is a risk that the scanner won't work with the older flex version there (2.5.35 vs. 2.5.39), but hopefully the testsuite has good coverage.
Likewise, the SLE11 wireshark.spec needs to run find -name '*.l' | xargs touch at the end of %prep, like the SLE12 package does. After the build, none of the flex scanners shall contain "yy_size_t num_to_read".
Adding also the wireshark maintainer to NEEDINFO.
I will integrate this fix if PM want wireshark updated to 2.xxx version in SLE11
openSUSE-SU-2017:0356-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1017174,1021636,984637,990856 CVE References: CVE-2016-6354 Sources used: openSUSE Leap 42.2 (src): seamonkey-2.46-9.2 openSUSE Leap 42.1 (src): seamonkey-2.46-9.2
SUSE-SU-2017:1442-1: An update that solves 24 vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 1002981,1010735,1010740,1010752,1010754,1010911,1021739,1025913,1026507,1027692,1027998,1033936,1033937,1033938,1033939,1033940,1033941,1033942,1033943,1033944,1033945,990856,998761,998762,998763,998800,998963,998964 CVE References: CVE-2016-6354,CVE-2016-7175,CVE-2016-7176,CVE-2016-7177,CVE-2016-7178,CVE-2016-7179,CVE-2016-7180,CVE-2016-9373,CVE-2016-9374,CVE-2016-9375,CVE-2016-9376,CVE-2017-5596,CVE-2017-5597,CVE-2017-6014,CVE-2017-7700,CVE-2017-7701,CVE-2017-7702,CVE-2017-7703,CVE-2017-7704,CVE-2017-7705,CVE-2017-7745,CVE-2017-7746,CVE-2017-7747,CVE-2017-7748 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): wireshark-2.2.6-44.3 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): wireshark-2.2.6-44.3 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): wireshark-2.2.6-44.3 SUSE Linux Enterprise Server 12-SP2 (src): wireshark-2.2.6-44.3 SUSE Linux Enterprise Server 12-SP1 (src): wireshark-2.2.6-44.3 SUSE Linux Enterprise Desktop 12-SP2 (src): wireshark-2.2.6-44.3 SUSE Linux Enterprise Desktop 12-SP1 (src): wireshark-2.2.6-44.3
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/641836 42.3 / wireshark
Done
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/904702 15.3 / seamonkey
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/907731 15.3 / seamonkey
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/914429 15.3 / seamonkey
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/922046 15.3 / seamonkey
This is an autogenerated message for OBS integration: This bug (990856) was mentioned in https://build.opensuse.org/request/show/931737 15.3 / seamonkey