Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739020 (CVE-2020-24241, CVE-2020-24242) - <dev-lang/nasm-2.15.0: Multiple vulnerabilities (CVE-2020-{24241,24242})
Summary: <dev-lang/nasm-2.15.0: Multiple vulnerabilities (CVE-2020-{24241,24242})
Status: RESOLVED FIXED
Alias: CVE-2020-24241, CVE-2020-24242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-26 01:01 UTC by Sam James
Modified: 2021-01-25 23:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 01:01:58 UTC
* CVE-2020-24241

Description:
"In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c."

Bug: https://bugzilla.nasm.us/show_bug.cgi?id=3392707

* CVE-2020-24242

Description:
"In Netwide Assembler (NASM) 2.15rc10, SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory."

Bug: https://bugzilla.nasm.us/show_bug.cgi?id=3392708
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 20:58:16 UTC
These are ostensibly against an rc version and I can't reproduce with 2.15.04 so we might not be affected.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 21:15:29 UTC
(In reply to John Helmert III (ajak) from comment #1)
> These are ostensibly against an rc version and I can't reproduce with
> 2.15.04 so we might not be affected.

Sorry, 2.14.02 is what appears unaffected.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-08 16:27:42 UTC
Ping
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-10 07:57:18 UTC
It's not clear if you ping maintainers or security. If not specified otherwise I always assume assignee.

It's also not clear what action you expect.

Upstream bugs claim to fix both in problems in >=nasm-2.15.04.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-10 14:38:36 UTC
(In reply to Sergei Trofimovich from comment #4)
> It's not clear if you ping maintainers or security. If not specified
> otherwise I always assume assignee.
> 
> It's also not clear what action you expect.

Sorry! It is unclear whether our versions in tree were ever affected. If not, we can just close this bug.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-10 20:23:25 UTC
nasm-2.15.03 was probably last affected version (not in tree anymore).
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 23:54:25 UTC
(In reply to Sergei Trofimovich from comment #6)
> nasm-2.15.03 was probably last affected version (not in tree anymore).

Thanks!