Patchwork Flex security update: RCE in generated code (CVE-2016-6354)

login
register
mail settings
Submitter Leo Famulari
Date Aug. 26, 2016, 10:14 p.m.
Message ID <20160826221426.GA29432@jasmine>
Download mbox | patch
Permalink /patch/14993/
State New
Headers show

Comments

Leo Famulari - Aug. 26, 2016, 10:14 p.m.
There is a buffer overflow and potential remote code execution
vulnerability in flex's *generated code* before flex version 2.6.1,
CVE-2016-6354:

http://seclists.org/oss-sec/2016/q3/163
https://www.debian.org/security/2016/dsa-3653
https://security-tracker.debian.org/tracker/CVE-2016-6354

Flex has moved to GitHub [0], and so the source code is served over
HTTPS.  Flex is a dependency of GnuTLS. This would create a cycle in our
package graph. This is a problem we need to solve.

In the meantime, I've cherry-picked the commit that contains the bug
fix, and we can provide it as a patch. Please see attached.

[0]
https://sourceforge.net/p/flex/mailman/message/34913710/
From beca37a4edd7e4c4becca23d25c40a9ff43b08c7 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 26 Aug 2016 18:11:58 -0400
Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.

* gnu/packages/flex.scm (flex)[replacement]: New field.
(flex/fixed): New variable.
* gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/flex.scm                         |  8 +++++++
 gnu/packages/patches/flex-CVE-2016-6354.patch | 30 +++++++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 gnu/packages/patches/flex-CVE-2016-6354.patch
Leo Famulari - Aug. 26, 2016, 10:49 p.m.
On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> 
> * gnu/packages/flex.scm (flex)[replacement]: New field.
> (flex/fixed): New variable.
> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

As Mark pointed out on #guix, bugs in flex's generated code can not be
addressed with a graft. Also, the upstream tarballs that we build from
often contain code generated by flex.
Ludovic Courtès - Aug. 27, 2016, 9:48 p.m.
Hello!

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
>> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
>> 
>> * gnu/packages/flex.scm (flex)[replacement]: New field.
>> (flex/fixed): New variable.
>> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>
> As Mark pointed out on #guix, bugs in flex's generated code can not be
> addressed with a graft.

Indeed.  We should add this patch to ‘core-updates’ and start building
it (I haven’t checked the status of the various branches, though.)

> Also, the upstream tarballs that we build from often contain code
> generated by flex.

Yes, and finding out which tarballs contain vulnerable lexers (or
contain Flex-generated stuff at all) sounds difficult.

Maybe people have developed scripts to help with that?

Thanks,
Ludo’.
Leo Famulari - Aug. 28, 2016, 12:54 a.m.
On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote:
> Hello!
> 
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> >> 
> >> * gnu/packages/flex.scm (flex)[replacement]: New field.
> >> (flex/fixed): New variable.
> >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Add it.
> >
> > As Mark pointed out on #guix, bugs in flex's generated code can not be
> > addressed with a graft.
> 
> Indeed.  We should add this patch to ‘core-updates’ and start building
> it (I haven’t checked the status of the various branches, though.)

Done as eba7fab890.

I'm not sure of the overall health of the branch, but I have built some
packages from it locally on x86_64. So, the base system seems to be
working.
Efraim Flashner - Aug. 28, 2016, 9:41 a.m.
On Sat, Aug 27, 2016 at 08:54:34PM -0400, Leo Famulari wrote:
> On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Courtès wrote:
> > Hello!
> > 
> > Leo Famulari <leo@famulari.name> skribis:
> > 
> > > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote:
> > >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354.
> > >> 
> > >> * gnu/packages/flex.scm (flex)[replacement]: New field.
> > >> (flex/fixed): New variable.
> > >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file.
> > >> * gnu/local.mk (dist_patch_DATA): Add it.
> > >
> > > As Mark pointed out on #guix, bugs in flex's generated code can not be
> > > addressed with a graft.
> > 
> > Indeed.  We should add this patch to ‘core-updates’ and start building
> > it (I haven’t checked the status of the various branches, though.)
> 
> Done as eba7fab890.
> 
> I'm not sure of the overall health of the branch, but I have built some
> packages from it locally on x86_64. So, the base system seems to be
> working.
> 

I somehow managed to push a lot to the branch, and currently cmake is
broken, both the "old" version and the "new" version I pushed. They are
broken in the same way, so (based on nothing at all) I assume its
related to the file update.

Also, gcc-4.9.4 causes the same breakage on arm as 5.3.0 did.

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b8c5378..0ba281e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -505,6 +505,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/findutils-test-xargs.patch		\
   %D%/packages/patches/flashrom-use-libftdi1.patch		\
+  %D%/packages/patches/flex-CVE-2016-6354.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
   %D%/packages/patches/fltk-shared-lib-defines.patch		\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff19..b64af0d 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -31,6 +31,7 @@ 
 (define-public flex
   (package
     (name "flex")
+    (replacement flex/fixed)
     (version "2.6.0")
     (source (origin
              (method url-fetch)
@@ -78,3 +79,10 @@  regular expressions for each rule.  Whenever it finds a match, it
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
                         "See COPYING in the distribution."))))
+
+(define flex/fixed
+  (package
+    (inherit flex)
+    (source (origin
+              (inherit (package-source flex))
+              (patches (search-patches "flex-CVE-2016-6354.patch"))))))
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000..1f3cb02
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@ 
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )