Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739018 (CVE-2020-24240) - <sys-devel/bison-3.7.1: Use after free (CVE-2020-24240)
Summary: <sys-devel/bison-3.7.1: Use after free (CVE-2020-24240)
Status: RESOLVED FIXED
Alias: CVE-2020-24240
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/akimd/bison/commit...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2020-14150
Blocks:
  Show dependency tree
 
Reported: 2020-08-26 00:54 UTC by Sam James
Modified: 2021-07-24 05:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-08-26 00:54:21 UTC
Description:
"GNU Bison 3.7 has a use after free (UAF) vulnerability. A local attacker may execute bison with crafted input file containing a NULL byte, which could triggers UAF and thus cause system crash."

Patch: https://github.com/akimd/bison/commit/be95a4fe2951374676efc9454ffee8638faaf68d

Bug: https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html
Comment 1 NATTkA bot gentoo-dev 2020-08-26 00:56:51 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend amd64 stable profile default/linux/amd64/17.0 (79 total)
>     >=sys-devel/gettext-0.21
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=sys-devel/gettext-0.21
Comment 2 NATTkA bot gentoo-dev 2020-08-31 20:48:58 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=sys-devel/gettext-0.21
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=sys-devel/gettext-0.21
Comment 3 NATTkA bot gentoo-dev 2020-08-31 20:52:52 UTC
All sanity-check issues have been resolved
Comment 4 NATTkA bot gentoo-dev 2020-08-31 21:24:51 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (10 total)
>     >=sys-devel/gettext-0.21
Comment 5 NATTkA bot gentoo-dev 2020-08-31 21:28:52 UTC
All sanity-check issues have been resolved
Comment 6 NATTkA bot gentoo-dev 2020-08-31 21:48:51 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=sys-devel/gettext-0.21
Comment 7 NATTkA bot gentoo-dev 2020-08-31 21:52:52 UTC
Sanity check failed:

> sys-devel/bison-3.7.1
>   bdepend arm stable profile default/linux/arm/17.0 (27 total)
>     >=sys-devel/gettext-0.21
>   bdepend arm dev profile default/linux/arm/17.0/armv4 (33 total)
>     >=sys-devel/gettext-0.21
Comment 8 NATTkA bot gentoo-dev 2020-08-31 21:56:51 UTC
All sanity-check issues have been resolved
Comment 9 NATTkA bot gentoo-dev 2020-09-07 20:53:38 UTC
Unable to check for sanity:

> no match for package: sys-devel/bison-3.7.1
Comment 10 John Helmert III gentoo-dev Security 2021-07-24 05:54:40 UTC
All done!