Bug 1210861 (CVE-2023-30402) - VUL-1: CVE-2023-30402: yasm: heap overflow via the function handle_dot_label at /nasm/nasm-token.re
Summary: VUL-1: CVE-2023-30402: yasm: heap overflow via the function handle_dot_label ...
Status: RESOLVED WONTFIX
Alias: CVE-2023-30402
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adam Majer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/364444/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-26 06:39 UTC by Alexander Bergmann
Modified: 2023-04-26 15:05 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Reproducer (61 bytes, application/octet-stream)
2023-04-26 06:45 UTC, Alexander Bergmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-04-26 06:39:18 UTC 
CVE-2023-30402

YASM v1.3.0 was discovered to contain a heap overflow via the function
handle_dot_label at /nasm/nasm-token.re.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30402
https://www.cve.org/CVERecord?id=CVE-2023-30402
https://github.com/yasm/yasm/issues/206
Comment 1 Alexander Bergmann 2023-04-26 06:45:46 UTC 
Created attachment 866607 [details]
Reproducer

# valgrind --leak-check=full --show-leak-kinds=all yasm -s -o abc --force-strict 137-HOF
==32530== Memcheck, a memory error detector
==32530== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32530== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==32530== Command: yasm -s -o abc --force-strict 137-HOF
==32530==
==32530== Invalid read of size 1
==32530==    at 0x142C54: handle_dot_label.isra.0 (nasm-token.re:83)
==32530==    by 0x1979E7: nasm_parser_lex (nasm-token.re:384)
==32530==    by 0x1655FD: UnknownInlinedFun (nasm-parse.c:149)
==32530==    by 0x1655FD: nasm_parser_parse (nasm-parse.c:232)
==32530==    by 0x161E7E: nasm_do_parse (nasm-parser.c:66)
==32530==    by 0x143877: do_assemble (yasm.c:518)
==32530==    by 0x143877: main (yasm.c:748)
==32530==  Address 0x4e93573 is 0 bytes after a block of size 3 alloc'd
==32530==    at 0x4A366A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32530==    by 0x155E61: def_xmalloc (xmalloc.c:69)
==32530==    by 0x155FBC: yasm__xstrndup (xstrdup.c:64)
==32530==    by 0x142C4F: handle_dot_label.isra.0 (nasm-token.re:79)
==32530==    by 0x1979E7: nasm_parser_lex (nasm-token.re:384)
==32530==    by 0x1655FD: UnknownInlinedFun (nasm-parse.c:149)
==32530==    by 0x1655FD: nasm_parser_parse (nasm-parse.c:232)
==32530==    by 0x161E7E: nasm_do_parse (nasm-parser.c:66)
==32530==    by 0x143877: do_assemble (yasm.c:518)
==32530==    by 0x143877: main (yasm.c:748)
...
==32530== LEAK SUMMARY:
==32530==    definitely lost: 0 bytes in 0 blocks
==32530==    indirectly lost: 0 bytes in 0 blocks
==32530==      possibly lost: 0 bytes in 0 blocks
==32530==    still reachable: 480 bytes in 2 blocks
==32530==         suppressed: 0 bytes in 0 blocks
==32530==
==32530== For lists of detected and suppressed errors, rerun with: -s
==32530== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Comment 2 Robert Frohl 2023-04-26 15:05:10 UTC 
closing as won't fix