[Secure-testing-team] Bug#832768: flex: CVE-2016-6354: buffer overflow in generated code (yy_get_next_buffer)
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 28 16:52:02 UTC 2016
Source: flex
Version: 2.5.39-8
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for flex, fixing this as
grave. It is possible to exploit this remotely, but depending othe
application that is build using flex. And there might be furthermore
sources with shipped lexers built with the broken flex version. All of
those was not investigated.
CVE-2016-6354[0]:
Buffer overflow in generated code (yy_get_next_buffer); related to num_to_read
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6354
[1] https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
Regards,
Salvatore
More information about the Secure-testing-team
mailing list