123 lines
8.9 KiB
XML
123 lines
8.9 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
||
|
|
<DocumentTitle xml:lang="en">An update for bison is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3</DocumentTitle>
|
||
|
|
<DocumentType>Security Advisory</DocumentType>
|
||
|
|
<DocumentPublisher Type="Vendor">
|
||
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
||
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
||
|
|
</DocumentPublisher>
|
||
|
|
<DocumentTracking>
|
||
|
|
<Identification>
|
||
|
|
<ID>openEuler-SA-2022-1767</ID>
|
||
|
|
</Identification>
|
||
|
|
<Status>Final</Status>
|
||
|
|
<Version>1.0</Version>
|
||
|
|
<RevisionHistory>
|
||
|
|
<Revision>
|
||
|
|
<Number>1.0</Number>
|
||
|
|
<Date>2022-07-22</Date>
|
||
|
|
<Description>Initial</Description>
|
||
|
|
</Revision>
|
||
|
|
</RevisionHistory>
|
||
|
|
<InitialReleaseDate>2022-07-22</InitialReleaseDate>
|
||
|
|
<CurrentReleaseDate>2022-07-22</CurrentReleaseDate>
|
||
|
|
<Generator>
|
||
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
||
|
|
<Date>2022-07-22</Date>
|
||
|
|
</Generator>
|
||
|
|
</DocumentTracking>
|
||
|
|
<DocumentNotes>
|
||
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">bison security update</Note>
|
||
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for bison is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3.</Note>
|
||
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Bison is a general-purpose parser generator that converts an annotated context-free grammar into a deterministic LR or generalized LR (GLR) parser employing LALR(1) parser tables. As an experimental feature, Bison can also generate IELR(1) or canonical LR(1) parser tables. Once you are proficient with Bison, you can use it to develop a wide range of language parsers, from those used in simple desk calculators to complex programming languages.
|
||
|
|
|
||
|
|
Security Fix(es):
|
||
|
|
|
||
|
|
GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.(CVE-2020-24240)</Note>
|
||
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for bison is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3.
|
||
|
|
|
||
|
|
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
||
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
|
||
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">bison</Note>
|
||
|
|
</DocumentNotes>
|
||
|
|
<DocumentReferences>
|
||
|
|
<Reference Type="Self">
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1767</URL>
|
||
|
|
</Reference>
|
||
|
|
<Reference Type="openEuler CVE">
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-24240</URL>
|
||
|
|
</Reference>
|
||
|
|
<Reference Type="Other">
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-24240</URL>
|
||
|
|
</Reference>
|
||
|
|
</DocumentReferences>
|
||
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
||
|
|
<Branch Type="Product Name" Name="openEuler">
|
||
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
||
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="aarch64">
|
||
|
|
<FullProductName ProductID="bison-debuginfo-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-debuginfo-3.6.4-2.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debugsource-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-debugsource-3.6.4-2.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-lang-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-lang-3.6.4-2.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-devel-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-devel-3.6.4-2.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-3.6.4-2.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debuginfo-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-debuginfo-3.6.4-3.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-3.6.4-3.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debugsource-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-debugsource-3.6.4-3.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-devel-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-devel-3.6.4-3.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-lang-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-lang-3.6.4-3.oe1.aarch64.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="noarch">
|
||
|
|
<FullProductName ProductID="bison-help-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-help-3.6.4-2.oe1.noarch.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-help-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-help-3.6.4-3.oe1.noarch.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="src">
|
||
|
|
<FullProductName ProductID="bison-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-3.6.4-2.oe1.src.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-3.6.4-3.oe1.src.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="x86_64">
|
||
|
|
<FullProductName ProductID="bison-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-3.6.4-2.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-devel-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-devel-3.6.4-2.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-lang-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-lang-3.6.4-2.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debugsource-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-debugsource-3.6.4-2.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debuginfo-3.6.4-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">bison-debuginfo-3.6.4-2.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debuginfo-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-debuginfo-3.6.4-3.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-devel-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-devel-3.6.4-3.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-3.6.4-3.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-lang-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-lang-3.6.4-3.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="bison-debugsource-3.6.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">bison-debugsource-3.6.4-3.oe1.x86_64.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
</ProductTree>
|
||
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a 0 byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2022-07-22</ReleaseDate>
|
||
|
|
<CVE>CVE-2020-24240</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>5.5</BaseScore>
|
||
|
|
<Vector>AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>bison security update</Description>
|
||
|
|
<DATE>2022-07-22</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1767</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
</cvrfdoc>
|