![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: CVE id request: nasm off-by-one
From: Eren Türkay <turkay.eren () gmail com>
Date: Wed, 11 Jun 2008 20:40:53 +0300
On 11 Jun 2008 Wed 18:48:14 Nico Golde wrote:
There is an off-by-one in the ppscan() function which is used to preprocess files. Details: https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_ id=6208 Can I get a CVE id for this one?
Secunia [0] implies that this security flaw also ocurrs in 0.x. I looked at the code in 0.98.39 [1] tarball to backport vendor-supported patch but it seems that 0.x is not vulnerable. The control of TOKEN_ID in 2.03 [2] is blow; if (tline->type == TOK_ID) { p = tokval->t_charptr = tline->text; if (p[0] == '$') { tokval->t_charptr++; return tokval->t_type = TOKEN_ID; } for (r = p, s = ourcopy; *r; r++) { if (r >= p+MAX_KEYWORD) return tokval->t_type = TOKEN_ID; /* Not a keyword */ *s++ = tolower(*r); } *s = '\0'; return nasm_token_hash(ourcopy, tokval); } While 0.98.39 has; if (tline->type == TOK_ID) { tokval->t_charptr = tline->text; if (tline->text[0] == '$') { tokval->t_charptr++; return tokval->t_type = TOKEN_ID; } if (!nasm_stricmp(tline->text, "seg")) return tokval->t_type = TOKEN_SEG; return tokval->t_type = TOKEN_ID; } There is only control for "seq" value, and after it, it just returns TOKEN_ID. Could someone shed light on this issue, I'm not completely sure whether this occurs in 0.x, too. [0] http://secunia.com/advisories/30594/ [1] http://ovh.dl.sourceforge.net/sourceforge/nasm/nasm-0.98.39.tar.bz2 [2] ftp://ftp.zytor.com/pub/nasm/releasebuilds/2.03/nasm-2.03.tar.bz2
Current thread:
- CVE id request: nasm off-by-one Nico Golde (Jun 11)
- Re: CVE id request: nasm off-by-one Eren Türkay (Jun 11)
- Re: CVE id request: nasm off-by-one Marcus Meissner (Jun 12)
- Re: CVE id request: nasm off-by-one Steven M. Christey (Jun 16)
- Re: CVE id request: nasm off-by-one Eren Türkay (Jun 11)