232005 – (CVE-2008-3196) dev-util/yacc skeleton.c rule reduction stack error (CVE-2008-3196)

Bug 232005 (CVE-2008-3196) - dev-util/yacc skeleton.c rule reduction stack error (CVE-2008-3196)

Summary: dev-util/yacc skeleton.c rule reduction stack error (CVE-2008-3196)

Status:	RESOLVED FIXED

Alias:	CVE-2008-3196

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-07-16 21:20 UTC by Robert Buchholz (RETIRED)
Modified:	2011-10-20 04:57 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
yacc-skeleton.c-CVE-2008-3196.patch (yacc-skeleton.c-CVE-2008-3196.patch,1.15 KB, patch) 2008-07-16 21:55 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-07-16 21:20:22 UTC

CVE-2008-3196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3196):
  skeleton.c in yacc does not properly handle reduction of a rule with an empty
  right hand side, which allows context-dependent attackers to cause an
  out-of-bounds stack access when the yacc stack pointer points to the end of
  the stack.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-07-16 21:22:40 UTC

OpenBSD Patch:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/yacc/skeleton.c.diff?r1=1.28&r2=1.29

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-07-16 21:30:23 UTC

This might also affect
 dev-util/byacc
 dev-util/btyacc
 sys-freebsd/freebsd-ubin
 dev-lang/ocaml

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-07-16 21:55:49 UTC

Created attachment 160604 [details, diff]
yacc-skeleton.c-CVE-2008-3196.patch

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-07-16 21:57:57 UTC

ocaml was a false positive

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-07-16 22:03:54 UTC

same for btyacc.
byacc is affected, so we have two maintainer-needed packages for this.

Since yacc input should be trusted input anyway (it will create code to be run), I am tempted to call this a non-issue.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-10-04 18:57:54 UTC

I have bumped the two packages, let's stable this on 2008-10-11 if no bugs pop up.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-10-22 19:14:54 UTC

Arches, please test and mark stable:
=dev-util/yacc-1.9.1-r4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

=dev-util/byacc-1.9-r2
Target keywords : "alpha amd64 ia64 ppc ppc64 s390 sparc x86"

Comment 8 Ferris McCormick (RETIRED) gentoo-dev

2008-10-22 19:41:58 UTC

Sparc stable for yacc-1.9.1-r4 and byacc-1.9-r2.  I also fixed a couple quoting problems ${FILESDIR} --> "${FILESDIR}" in byacc-1.9-r2 (I didn't bother with -1.9 or 1-9-r1).

Curious that even though yacc is part of the originil Unix, I think, it still does not come with a test phase.

Comment 9 Markus Meier gentoo-dev

2008-10-23 18:23:48 UTC

amd64/x86 stable

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-23 18:34:32 UTC

ppc stable

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2008-10-24 09:05:09 UTC

alpha/ia64 stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2008-10-24 21:52:42 UTC

Stable for HPPA.

Comment 13 Brent Baude (RETIRED) gentoo-dev

2008-10-27 20:04:55 UTC

ppc64 done

Comment 14 Tobias Heinlein (RETIRED) gentoo-dev

2008-11-05 08:49:03 UTC

Ready for vote, I vote NO.

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-11-05 11:23:14 UTC

voting NO too and closing.