CVE-2017-14228 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14228): In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service. CVE-2017-11111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11111): In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. CVE-2017-10686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10686): In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. For example, it causes a corrupted double-linked list in detoken(), a double free or corruption in delete_Token(), and an out-of-bounds write in detoken(). It has a high possibility to lead to a remote code execution attack.
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2017-14228 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14228): https://bugzilla.nasm.us/show_bug.cgi?id=3392423 > CVE-2017-11111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11111): Dup of https://bugs.gentoo.org/624646 > CVE-2017-10686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10686): https://bugzilla.nasm.us/show_bug.cgi?id=3392414 All 3 were fixed in nasm-2.13.02. Gentoo got nasm-2.13.03 in https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-lang/nasm?id=5b594e538e38230b85a5f0164d1d8b90d137f81b
This issue was resolved and addressed in GLSA 201903-19 at https://security.gentoo.org/glsa/201903-19 by GLSA coordinator Aaron Bauman (b-man).