Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 686720 (CVE-2019-8343)

Summary: <dev-lang/nasm-2.16.01: use-after-free in paste_tokens in asm/preproc.c
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: kripton, matthew, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.nasm.us/show_bug.cgi?id=3392556
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2019-05-25 07:52:09 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2019-8343):
In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c.


Gentoo Security Padawan
(domhnall)
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-17 16:00:52 UTC 
According to the upstream bug this should be fixed in nasm 2.16.01. Please clean up the vulnerable version 2.15.05.
Comment 2 Larry the Git Cow gentoo-dev 2023-10-22 14:34:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d1d1dd861423b9661e29d048de111f7d5034738

commit 9d1d1dd861423b9661e29d048de111f7d5034738
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-10-22 14:33:38 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-10-22 14:34:35 +0000

    dev-lang/nasm: drop 2.15.05
    
    Bug: https://bugs.gentoo.org/686720
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-lang/nasm/Manifest            |  1 -
 dev-lang/nasm/nasm-2.15.05.ebuild | 53 ---------------------------------------
 2 files changed, 54 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-23 04:21:56 UTC 
> According to the upstream bug this should be fixed in nasm 2.16.01

But the bug is still open and there's no confirmation of a fix by the reporter, do we trust it?
Comment 4 Matthew Smith gentoo-dev 2023-10-25 07:47:00 UTC 
The poc no longer triggers a use-after-free crash with asan, but none of the changes in the git log or release notes mention the upstream bug or CVE.

The history of preproc.c is quite exciting to read through: https://github.com/netwide-assembler/nasm/commits/master/asm/preproc.c
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-28 21:47:56 UTC 
> The history of preproc.c is quite exciting to read through

Gross :(

But I'll trust the determination of the maintainer here, then. Thanks!
Comment 6 Larry the Git Cow gentoo-dev 2023-12-22 12:11:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9f9ee310bf6c4ebf26d43ff75e027e27f23beb80

commit 9f9ee310bf6c4ebf26d43ff75e027e27f23beb80
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-22 12:11:31 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-22 12:11:54 +0000

    [ GLSA 202312-09 ] NASM: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/686720
    Bug: https://bugs.gentoo.org/903755
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-09.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)