Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 739018 (CVE-2020-24240)

Summary: <sys-devel/bison-3.7.1: Use after free (CVE-2020-24240)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/akimd/bison/commit/be95a4fe2951374676efc9454ffee8638faaf68d
See Also: https://bugs.gentoo.org/show_bug.cgi?id=717936
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 717936    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 00:54:21 UTC
Description:
"GNU Bison 3.7 has a use after free (UAF) vulnerability. A local attacker may execute bison with crafted input file containing a NULL byte, which could triggers UAF and thus cause system crash."

Patch: https://github.com/akimd/bison/commit/be95a4fe2951374676efc9454ffee8638faaf68d

Bug: https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html
Comment 1 NATTkA bot gentoo-dev 2020-08-26 00:56:51 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend amd64 stable profile default/linux/amd64/17.0 (79 total)
>     >=sys-devel/gettext-0.21
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=sys-devel/gettext-0.21
Comment 2 NATTkA bot gentoo-dev 2020-08-31 20:48:58 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=sys-devel/gettext-0.21
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=sys-devel/gettext-0.21
Comment 3 NATTkA bot gentoo-dev 2020-08-31 20:52:52 UTC
All sanity-check issues have been resolved
Comment 4 NATTkA bot gentoo-dev 2020-08-31 21:24:51 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     >=sys-devel/gettext-0.21
Comment 5 NATTkA bot gentoo-dev 2020-08-31 21:28:52 UTC
All sanity-check issues have been resolved
Comment 6 NATTkA bot gentoo-dev 2020-08-31 21:48:51 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=sys-devel/gettext-0.21
Comment 7 NATTkA bot gentoo-dev 2020-08-31 21:52:52 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend arm stable profile default/linux/arm/17.0 (27 total)
>     >=sys-devel/gettext-0.21
>   bdepend arm dev profile default/linux/arm/17.0/armv4 (33 total)
>     >=sys-devel/gettext-0.21
Comment 8 NATTkA bot gentoo-dev 2020-08-31 21:56:51 UTC
All sanity-check issues have been resolved
Comment 9 NATTkA bot gentoo-dev 2020-09-07 20:53:38 UTC
Unable to check for sanity:

> no match for package: sys-devel/bison-3.7.1
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 05:54:40 UTC
All done!