[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Flex security update: RCE in generated code (CVE-2016-6354)

From: Leo Famulari
Subject: Flex security update: RCE in generated code (CVE-2016-6354)
Date: Fri, 26 Aug 2016 18:14:26 -0400
User-agent: Mutt/1.7.0 (2016-08-17)

There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,

Flex has moved to GitHub [0], and so the source code is served over
HTTPS.  Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.

In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.


Attachment: 0001-gnu-flex-Fix-CVE-2016-6354.patch
Description: Text document

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]