Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 739020 (CVE-2020-24241, CVE-2020-24242)

Summary: <dev-lang/nasm-2.15.0: Multiple vulnerabilities (CVE-2020-{24241,24242})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, slyfox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 01:01:58 UTC
* CVE-2020-24241

Description:
"In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c."

Bug: https://bugzilla.nasm.us/show_bug.cgi?id=3392707

* CVE-2020-24242

Description:
"In Netwide Assembler (NASM) 2.15rc10, SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory."

Bug: https://bugzilla.nasm.us/show_bug.cgi?id=3392708
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 20:58:16 UTC
These are ostensibly against an rc version and I can't reproduce with 2.15.04 so we might not be affected.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 21:15:29 UTC
(In reply to John Helmert III (ajak) from comment #1)
> These are ostensibly against an rc version and I can't reproduce with
> 2.15.04 so we might not be affected.

Sorry, 2.14.02 is what appears unaffected.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-08 16:27:42 UTC
Ping
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-10 07:57:18 UTC
It's not clear if you ping maintainers or security. If not specified otherwise I always assume assignee.

It's also not clear what action you expect.

Upstream bugs claim to fix both in problems in >=nasm-2.15.04.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-10 14:38:36 UTC
(In reply to Sergei Trofimovich from comment #4)
> It's not clear if you ping maintainers or security. If not specified
> otherwise I always assume assignee.
> 
> It's also not clear what action you expect.

Sorry! It is unclear whether our versions in tree were ever affected. If not, we can just close this bug.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-10 20:23:25 UTC
nasm-2.15.03 was probably last affected version (not in tree anymore).
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 23:54:25 UTC
(In reply to Sergei Trofimovich from comment #6)
> nasm-2.15.03 was probably last affected version (not in tree anymore).

Thanks!