717936 – (CVE-2020-14150) <sys-devel/bison-3.5.4: Multiple vulnerabilities (CVE-2020-14150)

Bug 717936 (CVE-2020-14150) - <sys-devel/bison-3.5.4: Multiple vulnerabilities (CVE-2020-14150)

Summary: <sys-devel/bison-3.5.4: Multiple vulnerabilities (CVE-2020-14150)

Status:	RESOLVED FIXED

Alias:	CVE-2020-14150

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://lists.gnu.org/archive/html/in...
Whiteboard:	A3 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2020-24240
	Show dependency tree

Reported:	2020-04-17 18:19 UTC by Sam James
Modified:	2021-05-22 18:06 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2020-24240 730488 bison-3.7
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-17 18:19:26 UTC

Quoting from 3.5.4 release notes:
"Several unlikely crashes found by fuzzing have been fixed."

Comment 1 Sam James archtester

2020-04-17 18:20:41 UTC

@maintainer(s), please advise if ready for stabilisation, or call yourself.

Given that these crashes are unlikely, if you are not yet comfortable with stabilisation, there is no problem.

Comment 2 Sam James archtester

2020-06-04 17:00:35 UTC

ping

Comment 3 Andreas Sturmlechner gentoo-dev

2020-06-28 17:50:25 UTC

Why not go straight for 3.6.4?

Comment 4 Joakim Tjernlund 2020-06-29 20:50:43 UTC

(In reply to Andreas Sturmlechner from comment #3)
> Why not go straight for 3.6.4?

Yes, that would be great.

Comment 5 Rolf Eike Beer archtester

2020-07-29 17:34:59 UTC

hppa stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2020-08-01 15:20:12 UTC

sparc stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-29 14:53:59 UTC

x86 stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-31 19:13:34 UTC

Restarting stabilization with newer version due to bug 704894.

Comment 9 NATTkA bot gentoo-dev

2020-08-31 19:17:07 UTC Comment hidden (obsolete)

Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend amd64 stable profile default/linux/amd64/17.0 (79 total)
>     >=sys-devel/gettext-0.21
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=sys-devel/gettext-0.21

Comment 10 NATTkA bot gentoo-dev

2020-08-31 19:22:31 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 11 Sam James archtester

2020-08-31 19:35:05 UTC

*** Bug 733710 has been marked as a duplicate of this bug. ***

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-31 20:45:03 UTC

x86 stable

Comment 13 Sam James archtester

2020-08-31 20:55:38 UTC

s390 done

Comment 14 Sam James archtester

2020-08-31 20:59:50 UTC

s390 done

Comment 15 Sam James archtester

2020-08-31 21:23:35 UTC

ppc done

Comment 16 Sam James archtester

2020-08-31 21:34:46 UTC

amd64 done

Comment 17 Sam James archtester

2020-08-31 21:48:20 UTC

arm64 done

Comment 18 Sam James archtester

2020-08-31 21:49:02 UTC

sparc done

Comment 19 Sam James archtester

2020-08-31 21:49:50 UTC

ppc64 done

Comment 20 Sam James archtester

2020-08-31 21:50:31 UTC

arm done

Comment 21 NATTkA bot gentoo-dev

2020-09-07 20:57:11 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: sys-devel/bison-3.7.1

Comment 22 Sergei Trofimovich (RETIRED) gentoo-dev

2020-09-07 21:21:21 UTC

hppa stable

Comment 23 Sergei Trofimovich (RETIRED) gentoo-dev

2020-09-07 21:22:32 UTC

(In reply to Sergei Trofimovich from comment #22)
> hppa stable

Nope, wrong package name. Returning.

Comment 24 NATTkA bot gentoo-dev

2020-09-07 21:27:22 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 25 Rolf Eike Beer archtester

2020-09-19 20:32:54 UTC

hppa stable

Comment 26 NATTkA bot gentoo-dev

2020-12-25 14:29:09 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: sys-devel/bison-3.7.1-r1

Comment 27 John Helmert III archtester

2020-12-25 18:56:34 UTC

Please cleanup, if possible

Comment 28 NATTkA bot gentoo-dev

2020-12-25 18:57:06 UTC

Unable to check for sanity:

> no match for package: sys-devel/bison-3.7.1-r1

Comment 29 David Seifert gentoo-dev

2021-05-22 16:03:57 UTC

All vulnerable versions gone

Comment 30 John Helmert III archtester

2021-05-22 18:06:05 UTC

Thank you! All done.