Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: nasm #1100

Closed
dongsupark opened this issue Jun 27, 2023 · 1 comment · Fixed by flatcar/scripts#2110
Closed

update: nasm #1100

dongsupark opened this issue Jun 27, 2023 · 1 comment · Fixed by flatcar/scripts#2110
Labels
advisory/only-sdk affects only Flatcar SDK advisory security advisory security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Jun 27, 2023
edited
Loading

Name: nasm
CVEs: CVE-2019-6290, CVE-2019-6291, CVE-2019-8343, CVE-2020-21528, CVE-2021-33450, CVE-2021-33452, CVE-2022-44368, CVE-2022-44369, CVE-2022-44370
CVSSs: 5.5, 5.5, 7.8, 5.5, 5.5, 5.5, 5.5, 5.5, 7.8
Action Needed: TBD, not fixed in upstream

Summary:

  • CVE-2019-6290: An infinite recursion issue was discovered in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem resulting from infinite recursion in the functions expr, rexp, bexpr and cexpr in certain scenarios involving lots of '{' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file.
  • CVE-2019-6291: An issue was discovered in the function expr6 in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6 function making recursive calls to itself in certain scenarios involving lots of '!' or '+' or '-' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file.
  • CVE-2019-8343: In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c.
  • CVE-2020-21528: A Segmentation Fault issue discovered in in ieee_segment function in outieee.c in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service via crafted assembly file.
  • CVE-2021-33450: An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_calloc() in nasmlib/alloc.c.
  • CVE-2021-33452: An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_malloc() in nasmlib/alloc.c.
  • CVE-2022-44368: NASM v2.16 was discovered to contain a null pointer deference in the NASM component
  • CVE-2022-44369: NASM 2.16 (development) is vulnerable to 476: Null Pointer Dereference via output/outaout.c.
  • CVE-2022-44370: NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856

refmap.gentoo: https://bugs.gentoo.org/686720, https://bugs.gentoo.org/686722, https://bugs.gentoo.org/810423, https://bugs.gentoo.org/903755

nasm is included only in Flatcar SDK, so not critical.
@dongsupark dongsupark added security security concerns advisory security advisory advisory/upstream-blocked blocked by upstream projects advisory/only-sdk affects only Flatcar SDK labels Jun 27, 2023
@dongsupark dongsupark moved this from 📝 Needs Triage to ⏳ Long Term in Flatcar tactical, release planning, and roadmap Jun 27, 2023
@github-actions github-actions bot mentioned this issue Nov 10, 2023
Closed
@dongsupark dongsupark moved this from ⏳ Long Term to 🪵Backlog in Flatcar tactical, release planning, and roadmap Dec 4, 2023
@dongsupark dongsupark removed the advisory/upstream-blocked blocked by upstream projects label Dec 4, 2023
@dongsupark
Copy link
Member Author

dongsupark commented Dec 4, 2023
edited
Loading

CVE-2019-8343 was apparently fixed in 2.16.01.
https://bugs.gentoo.org/686720#c1

Added CVE-2020-21528.

@github-actions github-actions bot mentioned this issue Jan 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Feb 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Mar 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Apr 22, 2024
Closed
@github-actions github-actions bot mentioned this issue May 22, 2024
Closed
@github-actions github-actions bot mentioned this issue Jun 22, 2024
Closed
@tormath1 tormath1 mentioned this issue Jul 8, 2024
Merged
3 tasks
@tormath1 tormath1 moved this from 🪵Backlog to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Jul 8, 2024
@github-project-automation github-project-automation bot moved this from ⚒️ In Progress to Implemented in Flatcar tactical, release planning, and roadmap Jul 9, 2024
@github-actions github-actions bot mentioned this issue Jul 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory/only-sdk affects only Flatcar SDK advisory security advisory security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: Implemented
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

dev-lang/nasm: sync with the upstream flatcar/scripts
1 participant
@dongsupark