Gentoo Logo

flex: Potential insecure code generation


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200603-07 / flex
Release Date March 10, 2006
Latest Revision March 10, 2006: 01
Impact normal
Exploitable remote and local
Package Vulnerable versions Unaffected versions Architecture(s)
sys-devel/flex < 2.5.33-r1 >= 2.5.33-r1 All supported architectures

Related bugreports: #122940


flex might generate code with a buffer overflow, making applications using such scanners vulnerable to the execution of arbitrary code.

2.  Impact Information


flex is a programming tool used to generate scanners (programs which recognize lexical patterns in text).


Chris Moore discovered a buffer overflow in a special class of lexicographical scanners generated by flex. Only scanners generated by grammars which use either REJECT, or rules with a "variable trailing context" might be at risk.


An attacker could feed malicious input to an application making use of an affected scanner and trigger the buffer overflow, potentially resulting in the execution of arbitrary code.

3.  Resolution Information


Avoid using vulnerable grammar in your flex scanners.


All flex users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/flex-2.5.33-r1"

4.  References


Page updated March 10, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.