810423 – (CVE-2020-18974, CVE-2021-45256, CVE-2021-45257) dev-lang/nasm: multiple vulnerabilities

Bug 810423 (CVE-2020-18974, CVE-2021-45256, CVE-2021-45257) - dev-lang/nasm: multiple vulnerabilities

Summary: dev-lang/nasm: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2020-18974, CVE-2021-45256, CVE-2021-45257

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.nasm.us/show_bug.cgi...
Whiteboard:	B3 [upstream]
Keywords:

Depends on:
Blocks:

Reported:	2021-08-25 19:25 UTC by John Helmert III
Modified:	2021-12-23 08:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III gentoo-dev

2021-08-25 19:25:25 UTC

CVE-2020-18974:

Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers to cause a denial of service via 'crc64i' in the component 'nasmlib/crc64'. This issue is different than CVE-2019-7147.

Upstream issue is currently untouched.

Comment 1 John Helmert III gentoo-dev

2021-12-23 08:35:31 UTC

CVE-2021-45256 (https://bugzilla.nasm.us/show_bug.cgi?id=3392789):

A Null Pointer Dereference vulnerability existfs in nasm 2.16rc0 via asm/preproc.c.

CVE-2021-45257 (https://bugzilla.nasm.us/show_bug.cgi?id=3392790):

An infinite loop vulnerability exists in nasm 2.16rc0 via the gpaste_tokens function.

Can't tell if there's been any action taken upstream as their Bugzilla seems to be down.