[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Flex security update: RCE in generated code (CVE-2016-6354)
From: |
Leo Famulari |
Subject: |
Flex security update: RCE in generated code (CVE-2016-6354) |
Date: |
Fri, 26 Aug 2016 18:14:26 -0400 |
User-agent: |
Mutt/1.7.0 (2016-08-17) |
There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:
http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354
Flex has moved to GitHub [0], and so the source code is served over
HTTPS. Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.
In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.
[0]
https://sourceforge.net/p/flex/mailman/message/34913710/
0001-gnu-flex-Fix-CVE-2016-6354.patch
Description: Text document
signature.asc
Description: PGP signature
- Flex security update: RCE in generated code (CVE-2016-6354),
Leo Famulari <=