* [Buildroot] [git commit] package/flex: ignore CVE-2019-6293
@ 2021-04-24 9:25 Yann E. MORIN
0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2021-04-24 9:25 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=120d1241d8301089ed05f865f03b4915c843e936
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
https://security-tracker.debian.org/tracker/CVE-2019-6293
https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976
"But this bug does not cause stack overflows in the generated code.
The function and file referred to in the bug (mark_beginning_as_normal
in nfa.c) are part of the flex code generator, not part of the
generated code. If flex crashes before generating any code, that
can hardly be a vulnerability. If flex does not crash, the generated
code is fine (or perhaps subject to other unreported bugs, who knows,
but the NFA has been generated correctly)."
Upstream has chosen to not provide a fix
https://github.com/westes/flex/issues/414
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998 at free.fr: use actual upstream URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
package/flex/flex.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/flex/flex.mk b/package/flex/flex.mk
index 2d00969662..85da5ddae8 100644
--- a/package/flex/flex.mk
+++ b/package/flex/flex.mk
@@ -10,6 +10,9 @@ FLEX_INSTALL_STAGING = YES
FLEX_LICENSE = FLEX
FLEX_LICENSE_FILES = COPYING
FLEX_CPE_ID_VENDOR = flex_project
+# bug does not cause stack overflows in the generated code and has been
+# noted upstream as a bug in the code generator
+FLEX_IGNORE_CVES = CVE-2019-6293
FLEX_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) host-m4
HOST_FLEX_DEPENDENCIES = host-m4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-24 9:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-24 9:25 [Buildroot] [git commit] package/flex: ignore CVE-2019-6293 Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.