Summary: | dev-util/yacc skeleton.c rule reduction stack error (CVE-2008-3196) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | fmccor, maintainer-needed | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2008-07-16 21:20:22 UTC
OpenBSD Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/yacc/skeleton.c.diff?r1=1.28&r2=1.29 This might also affect dev-util/byacc dev-util/btyacc sys-freebsd/freebsd-ubin dev-lang/ocaml Created attachment 160604 [details, diff]
yacc-skeleton.c-CVE-2008-3196.patch
ocaml was a false positive same for btyacc. byacc is affected, so we have two maintainer-needed packages for this. Since yacc input should be trusted input anyway (it will create code to be run), I am tempted to call this a non-issue. I have bumped the two packages, let's stable this on 2008-10-11 if no bugs pop up. Arches, please test and mark stable: =dev-util/yacc-1.9.1-r4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =dev-util/byacc-1.9-r2 Target keywords : "alpha amd64 ia64 ppc ppc64 s390 sparc x86" Sparc stable for yacc-1.9.1-r4 and byacc-1.9-r2. I also fixed a couple quoting problems ${FILESDIR} --> "${FILESDIR}" in byacc-1.9-r2 (I didn't bother with -1.9 or 1-9-r1). Curious that even though yacc is part of the originil Unix, I think, it still does not come with a test phase. amd64/x86 stable ppc stable alpha/ia64 stable Stable for HPPA. ppc64 done Ready for vote, I vote NO. voting NO too and closing. |