MGASA-2016-0396

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0396.html

Import Source

https://advisories.mageia.org/MGASA-2016-0396.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2016-0396

Related

CVE-2016-6354

Published

2016-11-23T11:11:14Z

Modified

2016-11-23T08:54:38Z

Summary

Updated flex packages fix security vulnerability

Details

It was found that flex incorrectly resized the numtoread variable in yygetnext_buffer. The buffer is resized if this value is less or equal to zero. With special crafted input it is possible, that the buffer is not resized if the input is larger than the default buffer size of 16k. This allows a heap buffer overflow. It may be possible to exploit this remotely, depending on the application that is built using flex (CVE-2016-6354).

Note that any affected applications would need to be rebuilt with the updated flex to fully fix this issue.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / flex

Package

Name: flex
Purl: pkg:rpm/mageia/flex?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.39-3.1.mga5

Ecosystem specific

{
    "section": "core"
}