-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-based buffer overflow in the yylex() function #36
Comments
Confirmed. I see the same error (and some more warnings too ...). Will fix this. Please stand by. |
This issue has been assigned CVE-2019-19720. |
Fixed with 2.86.2. |
Thanks for the fix, 2.86.2 solves the issue for me as well. In the future, it would be nice if you could mention the CVE in the ChangeLog and in the release notes, as it helps distribution packagers who track the CVE database to figure out which issues were fixed by a particular release. |
Hi, I see. Unfortunately I read your suggestion only after releasing 2.86.3 :-/
But I will follow you with the next patch (if you happen to find another vulnerability ...)
regards
Marc
On 13.12.2019 20:11:35, Frederic Cambus <notifications@github.com> wrote:
Thanks for the fix, 2.86.2 solves the issue for me as well.
In the future, it would be nice if you could mention the CVE in the ChangeLog and in the release notes, as it helps distribution packagers who track the CVE database to figure out which issues were fixed by a particular release.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub [#36?email_source=notifications&email_token=AC5EZHXHCV5UUHDCYJAYI2LQYPM6JA5CNFSM4JY6GXE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG26WZI#issuecomment-565570405], or unsubscribe [https://github.com/notifications/unsubscribe-auth/AC5EZHSCXFN2TBOQRJENEKLQYPM6JANCNFSM4JY6GXEQ].
|
Hi,
While fuzzing yabasic 2.86.1 with Honggfuzz, I found a heap-based buffer overflow in the yylex() function, in flex.c.
Attaching a reproducer (gzipped so GitHub accepts it): test01.yab.gz
Issue can be reproduced by running:
The text was updated successfully, but these errors were encountered: