Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 862112 (CVE-2021-33454, CVE-2021-33455, CVE-2021-33456, CVE-2021-33457, CVE-2021-33458, CVE-2021-33459, CVE-2021-33460, CVE-2021-33461, CVE-2021-33462, CVE-2021-33463, CVE-2021-33464, CVE-2021-33465, CVE-2021-33466, CVE-2021-33467, CVE-2021-33468, CVE-2023-29579, CVE-2023-29580, CVE-2023-29581, CVE-2023-29582, CVE-2023-29583, CVE-2023-30402, CVE-2023-31723, CVE-2023-31724, CVE-2023-31725, CVE-2023-31972, CVE-2023-31973, CVE-2023-31974, CVE-2023-31975)

Summary: dev-lang/yasm: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d
Whiteboard: ??
Package list:
Runtime testing required: ---

Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-25 23:46:17 UTC 
CVE-2023-30402 (https://github.com/yasm/yasm/issues/206):

YASM v1.3.0 was discovered to contain a heap overflow via the function handle_dot_label at /nasm/nasm-token.re.

CVE-2023-29582 (https://github.com/yasm/yasm/issues/217):

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr1 at /nasm/nasm-parse.c.

CVE-2023-29583 (https://github.com/yasm/yasm/issues/218):

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the function parse_expr5 at /nasm/nasm-parse.c.

CVE-2023-29579 (https://github.com/yasm/yasm/issues/214):

yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via the component yasm/yasm+0x43b466 in vsprintf.

CVE-2023-29581 (https://github.com/yasm/yasm/issues/216):

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function delete_Token at /nasm/nasm-pp.c.

CVE-2023-29580 (https://github.com/yasm/yasm/issues/215):

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:36:48 UTC 
CVE-2023-31972 (https://github.com/yasm/yasm/issues/209):

yasm v1.3.0 was discovered to contain a use after free via the function pp_getline at /nasm/nasm-pp.c.

CVE-2023-31973 (https://github.com/yasm/yasm/issues/207):

yasm v1.3.0 was discovered to contain a use after free via the function expand_mmac_params at /nasm/nasm-pp.c.

CVE-2023-31974 (https://github.com/yasm/yasm/issues/208):

yasm v1.3.0 was discovered to contain a use after free via the function error at /nasm/nasm-pp.c.

CVE-2023-31975 (https://github.com/yasm/yasm/issues/210):

yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-19 02:48:38 UTC 
CVE-2023-31723 (https://github.com/yasm/yasm/issues/220):

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function expand_mmac_params at /nasm/nasm-pp.c.

CVE-2023-31724 (https://github.com/yasm/yasm/issues/222):

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function do_directive at /nasm/nasm-pp.c.

CVE-2023-31725 (https://github.com/yasm/yasm/issues/221):

yasm 1.3.0.55.g101bc was discovered to contain a heap-use-after-free via the function expand_mmac_params at yasm/modules/preprocs/nasm/nasm-pp.c.

No response to upstream issues.