Summary: | dev-lang/nasm: IEEE_PUTASCII Remote Buffer Overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mr_bones_ |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Other | ||
URL: | https://bugzilla.redhat.com/beta/show_bug.cgi?id=152962 | ||
Whiteboard: | B2 [noglsa] formula7 | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-05-17 15:22:03 UTC
According to tigger^ 0.98.39 is vulnerable. (Anyway, I didn't see that it was released on January) Fixed. Security team can proceed. Team members, please advise on this one Here's from the original advisory (http://sourceforge.net/mailarchive/forum.php?thread_id=7175315&forum_id=4978) --- nasm-0.98.39/output/outieee.c.overfl 2005-01-15 23:16:08.000000000 +0100 +++ nasm-0.98.39/output/outieee.c 2005-04-01 12:55:17.231530832 +0200 @@ -1120,7 +1120,7 @@ static void ieee_putascii(char *format, va_list ap; va_start(ap, format); - vsprintf(buffer, format, ap); + vsnprintf(buffer, sizeof(buffer), format, ap); l = strlen(buffer); for (i = 0; i < l; i++) if ((buffer[i] & 0xff) > 31) Why are we still talking about this? It's fixed in portage already. Security team, do your announce thing and let's move on. Closing without GLSA, because it relies on a too dumb user to work. |