[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Jun 2008 20:40:53 +0300
From: Eren Türkay <turkay.eren@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: nasm off-by-one
On 11 Jun 2008 Wed 18:48:14 Nico Golde wrote:
> There is an off-by-one in the ppscan() function which is
> used to preprocess files.
>
> Details:
> https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_
>id=6208
>
> Can I get a CVE id for this one?
Secunia [0] implies that this security flaw also ocurrs in 0.x. I looked at
the code in 0.98.39 [1] tarball to backport vendor-supported patch but it
seems that 0.x is not vulnerable.
The control of TOKEN_ID in 2.03 [2] is blow;
if (tline->type == TOK_ID) {
p = tokval->t_charptr = tline->text;
if (p[0] == '$') {
tokval->t_charptr++;
return tokval->t_type = TOKEN_ID;
}
for (r = p, s = ourcopy; *r; r++) {
if (r >= p+MAX_KEYWORD)
return tokval->t_type = TOKEN_ID; /* Not a keyword */
*s++ = tolower(*r);
}
*s = '\0';
return nasm_token_hash(ourcopy, tokval);
}
While 0.98.39 has;
if (tline->type == TOK_ID) {
tokval->t_charptr = tline->text;
if (tline->text[0] == '$') {
tokval->t_charptr++;
return tokval->t_type = TOKEN_ID;
}
if (!nasm_stricmp(tline->text, "seg"))
return tokval->t_type = TOKEN_SEG;
return tokval->t_type = TOKEN_ID;
}
There is only control for "seq" value, and after it, it just returns TOKEN_ID.
Could someone shed light on this issue, I'm not completely sure whether this
occurs in 0.x, too.
[0] http://secunia.com/advisories/30594/
[1] http://ovh.dl.sourceforge.net/sourceforge/nasm/nasm-0.98.39.tar.bz2
[2] ftp://ftp.zytor.com/pub/nasm/releasebuilds/2.03/nasm-2.03.tar.bz2
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
