Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 670884

Summary: <dev-lang/nasm-2.14: Multiple vulnerabilities
Product: Gentoo Security Reporter: Arfrever Frehtes Taifersar Arahesis <arfrever.fta>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: slyfox
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa+]
Package list:
dev-lang/nasm-2.14.02
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 624646, 635358, 659550    

Description Arfrever Frehtes Taifersar Arahesis 2018-11-11 08:00:00 UTC 
dev-lang/nasm-2.14 was released on 2018-11-07.

There are several changes which sound like security fixes:
https://www.nasm.us/xdoc/2.14/html/nasmdocc.html
"""
・ Changed -I option semantics by adding a trailing path separator unconditionally.
・ Fixed null dereference in corrupted invalid single line macros.
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
・ Fixed division by zero which may happen if source code is malformed.
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
・ Fixed out of bound access in processing of malformed segment override.
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
・ Fixed out of bound access in certain EQU parsing.
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
・ Fixed buffer underflow in float parsing.
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
・ Added SGX (Intel Software Guard Extensions) instructions.
・ Added +n syntax for multiple contiguous registers.
・ Fixed subsections_via_symbols for macho object format.
・ Added the --gprefix, --gpostfix, --lprefix, and --lpostfix command line options, to allow command line base symbol renaming.
・ Allow label renaming to be specified by %pragma in addition to from the command line.
・ Supported generic %pragma namespaces, output and debug.
・ Added the --pragma command line option to inject a %pragma directive.
・ Added the --before command line option to accept preprocess statement before input.
・ Added AVX512 VBMI2 (Additional Bit Manipulation), VNNI (Vector Neural Network), BITALG (Bit Algorithm), and GFNI (Galois Field New Instruction) instructions.
・ Added the STATIC directive for local symbols that should be renamed using global-symbol rules.
・ Allow a symbol to be defined as EXTERN and then later overridden as GLOBAL or COMMON. Furthermore, a symbol declared EXTERN and then defined will be treated as GLOBAL.
・ The GLOBAL directive no longer is required to precede the definition of the symbol.
・ Support private_extern as macho specific extension to the GLOBAL directive.
・ Updated UD0 encoding to match with the specification
・ Added the --limit-X command line option to set execution limits.
・ Updated the Codeview version number to be aligned with MASM.
・ Added the --keep-all command line option to preserve output files.
・ Added the --include command line option, an alias to -P.
・ Added the --help command line option as an alias to -h.
・ Added -W, -D, and -Q suffix aliases for RET instructions so the operand sizes of these instructions can be encoded without using o16, o32 or o64.
"""
Comment 1 Larry the Git Cow gentoo-dev 2018-11-11 10:54:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d246ca10179861ff355daeb30662d07d44c8964

commit 0d246ca10179861ff355daeb30662d07d44c8964
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-11-11 10:52:50 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-11-11 10:54:10 +0000

    dev-lang/nasm: bump up to 2.14, bug #670884
    
    Reported-by: Arfrever Frehtes Taifersar Arahesis
    Bug: https://bugs.gentoo.org/670884
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-lang/nasm/Manifest         |  1 +
 dev-lang/nasm/nasm-2.14.ebuild | 52 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-01-18 20:58:02 UTC 
"[#gentoo-toolchain 2019-01-18 20:53:33 UTC] <@slyfox> 2.14.02 is fine to go stable"
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-23 18:34:10 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-01-24 22:25:16 UTC 
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:12:48 UTC 
This issue was resolved and addressed in
 GLSA 201903-19 at https://security.gentoo.org/glsa/201903-19
by GLSA coordinator Aaron Bauman (b-man).