Bug#1035951: yasm: CVE-2023-29579

To: Moritz Mühlenhoff <jmm@inutil.org>, 1035951@bugs.debian.org
Subject: Bug#1035951: yasm: CVE-2023-29579
From: Petter Reinholdtsen <pere@hungry.com>
Date: Wed, 30 Apr 2025 07:57:37 +0200
Message-id: <[🔎] aBG70ROZuLeOiHgO@hjemme.reinholdtsen.name>
Reply-to: Petter Reinholdtsen <pere@hungry.com>, 1035951@bugs.debian.org
In-reply-to: <ZF0MXiQX0BV8dOLz@pisco.westfalen.local>
References: <ZF0MXiQX0BV8dOLz@pisco.westfalen.local> <ZF0MXiQX0BV8dOLz@pisco.westfalen.local>

Control: tags -1 + patch pending

I believe the following patch, also passed upstream, will solve this
problem.

Description: Make sure CPU feature parsing use large enough string buffer.
 Fixes CVE-2023-29579.
Author: Petter Reinholdtsen <pere@debian.org>
Bug: https://github.com/yasm/yasm/issues/214
Bug-Debian: https://bugs.debian.org/1035951
Forwarded:  https://github.com/yasm/yasm/issues/214
Last-Update: 2025-04-30
---
--- yasm-1.3.0.orig/modules/arch/x86/x86arch.c
+++ yasm-1.3.0/modules/arch/x86/x86arch.c
@@ -165,8 +165,9 @@ x86_dir_cpu(yasm_object *object, yasm_va
                 yasm_error_set(YASM_ERROR_SYNTAX,
                                N_("invalid argument to [%s]"), "CPU");
             else {
-                char strcpu[16];
-                sprintf(strcpu, "%lu", yasm_intnum_get_uint(intcpu));
+                char strcpu[21]; /* 21 = ceil(log10(LONG_MAX)+1) */
+                assert(8*sizeof(unsigned long) <= 64);
+                snprintf(strcpu, sizeof(strcpu), "%lu", yasm_intnum_get_uint(intcpu));
                 yasm_x86__parse_cpu(arch_x86, strcpu, strlen(strcpu));
             }
         } else

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Prev by Date: extremely outdated package Autopsy
Next by Date: Bug#1016353: yasm: CVE-2021-33464
Previous by thread: extremely outdated package Autopsy
Next by thread: Processed: Re: yasm: CVE-2023-29579
Index(es):
- Date
- Thread