Skip to content

Commit

Permalink
package/flex: ignore CVE-2019-6293
Browse files Browse the repository at this point in the history 
https://security-tracker.debian.org/tracker/CVE-2019-6293

NixOS/nixpkgs#55386 (comment)
 "But this bug does not cause stack overflows in the generated code.
 The function and file referred to in the bug (mark_beginning_as_normal
 in nfa.c) are part of the flex code generator, not part of the
 generated code. If flex crashes before generating any code, that
 can hardly be a vulnerability. If flex does not crash, the generated
 code is fine (or perhaps subject to other unreported bugs, who knows,
 but the NFA has been generated correctly)."

Upstream has chosen to not provide a fix
 westes/flex#414

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr: use actual upstream URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
  • Loading branch information
@rc-matthew-l-weber @yann-morin-1998
rc-matthew-l-weber authored and yann-morin-1998 committed Apr 24, 2021
1 parent 5ce1e77 commit 120d124
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions package/flex/flex.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ FLEX_INSTALL_STAGING = YES
FLEX_LICENSE = FLEX
FLEX_LICENSE_FILES = COPYING
FLEX_CPE_ID_VENDOR = flex_project
# bug does not cause stack overflows in the generated code and has been
# noted upstream as a bug in the code generator
FLEX_IGNORE_CVES = CVE-2019-6293
FLEX_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) host-m4
HOST_FLEX_DEPENDENCIES = host-m4

Expand Down

0 comments on commit 120d124

Please sign in to comment.