Bug 1058013 – VUL-1: CVE-2017-14228: nasm: In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in thefunction paste_tokens() in preproc.c, aka a NULL pointer dereference. It willlead to remote denial of service.

Bug 1058013 - (CVE-2017-14228) VUL-1: CVE-2017-14228: nasm: In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in thefunction paste_tokens() in preproc.c, aka a NULL pointer dereference. It willlead to remote denial of service.

(CVE-2017-14228)
Summary:	VUL-1: CVE-2017-14228: nasm: In Netwide Assembler (NASM) 2.14rc0, there is an...

Status:	CONFIRMED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Michael Vetter
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/191706/
Whiteboard:	CVSSv2:SUSE:CVE-2017-14228:4.4:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-09-11 06:45 UTC by Marcus Meissner
Modified:	2020-11-04 15:18 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
POC3 (1.22 KB, text/plain) 2017-09-11 06:50 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-09-11 06:45:23 UTC

CVE-2017-14228

In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the
function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will
lead to remote denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14228
http://www.cvedetails.com/cve/CVE-2017-14228/
https://bugzilla.nasm.us/show_bug.cgi?id=3392423

Comment 1 Marcus Meissner 2017-09-11 06:50:41 UTC

Created attachment 740137 [details]
POC3

QA REPRODUCER:

nasm -f bin POC3 -o tmp

should not crash.

Comment 6 Swamp Workflow Management 2019-12-11 20:21:40 UTC

SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available.

Category: security (important)
Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743
CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2020-07-07 16:18:22 UTC

SUSE-SU-2020:1864-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1058013,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1084631
CVE References: CVE-2017-14228,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    nasm-2.14.02-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.