Gentoo Logo

flex: Potential insecure code generation

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200603-07 / flex
Release Date March 10, 2006
Latest Revision March 10, 2006: 01
Impact normal
Exploitable remote and local
Package Vulnerable versions Unaffected versions Architecture(s)
sys-devel/flex < 2.5.33-r1 >= 2.5.33-r1 All supported architectures

Related bugreports: #122940

Synopsis

flex might generate code with a buffer overflow, making applications using such scanners vulnerable to the execution of arbitrary code.

2.  Impact Information

Background

flex is a programming tool used to generate scanners (programs which recognize lexical patterns in text).

Description

Chris Moore discovered a buffer overflow in a special class of lexicographical scanners generated by flex. Only scanners generated by grammars which use either REJECT, or rules with a "variable trailing context" might be at risk.

Impact

An attacker could feed malicious input to an application making use of an affected scanner and trigger the buffer overflow, potentially resulting in the execution of arbitrary code.

3.  Resolution Information

Workaround

Avoid using vulnerable grammar in your flex scanners.

Resolution

All flex users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/flex-2.5.33-r1"

4.  References



Print

Page updated March 10, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.