[gentoo-commits] gentoo-x86 commit in dev-util/byacc/files: byacc-1.9-CVE-2008-3196.patch - gentoo-commits

From:	"Robert Buchholz (rbu)" <rbu@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in dev-util/byacc/files: byacc-1.9-CVE-2008-3196.patch
Date:	Sat, 04 Oct 2008 18:57:34
Message-Id:	`E1KmCJo-0002SM-8A@stork.gentoo.org`

1

rbu         08/10/04 18:57:32

2

3

  Added:                byacc-1.9-CVE-2008-3196.patch

4

  Log:

5

  Fix stack access error (security bug #232005).

6

  (Portage version: 2.2_rc11/cvs/Linux 2.6.25-gentoo-r6 x86_64)

7

8

Revision  Changes    Path

9

1.1                  dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch

10

11

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch?rev=1.1&view=markup

12

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch?rev=1.1&content-type=text/plain

13

14

Index: byacc-1.9-CVE-2008-3196.patch

15

===================================================================

16

Tue Jul 8 15:06:50 2008 UTC by otto

17

18

Fix an venerable bug: if we're reducing a rule that has an empty

19

right hand side and the yacc stackpointer is pointing at the very

20

end of the allocated stack, we end up accessing the stack out of

21

bounds by the implicit $$ = $1 action.  Detected by my new malloc,

22

experienced by sturm@ on sparc64; ok deraadt@

23

24

25

Index: yacc-1.9.1/skeleton.c

26

===================================================================

27

--- yacc-1.9.1.orig/skeleton.c

28

+++ yacc-1.9.1/skeleton.c

29

@@ -18,6 +18,7 @@ char *banner[] =

30

     "/*static char yysccsid[] = \"from: @(#)yaccpar	1.9 (Berkeley) 02/21/93\";*/",

31

     "static char yyrcsid[] = \"$Id: byacc-1.9-CVE-2008-3196.patch,v 1.1 2008/10/04 18:57:31 rbu Exp $\";",

32

     "#endif",

33

+    "#include <string.h>",

34

     "#define YYBYACC 1",

35

     "#define YYMAJOR 1",

36

     "#define YYMINOR 9",

37

@@ -226,7 +227,10 @@ char *body[] =

38

     "                YYPREFIX, yystate, yyn, yyrule[yyn]);",

39

     "#endif",

40

     "    yym = yylen[yyn];",

41

-    "    yyval = yyvsp[1-yym];",

42

+    "    if (yym)",

43

+    "        yyval = yyvsp[1-yym];",

44

+    "    else",

45

+    "        memset(&yyval, 0, sizeof yyval);",

46

     "    switch (yyn)",

47

     "    {",

48

0

1	rbu 08/10/04 18:57:32
2
3	Added: byacc-1.9-CVE-2008-3196.patch
4	Log:
5	Fix stack access error (security bug #232005).
6	(Portage version: 2.2_rc11/cvs/Linux 2.6.25-gentoo-r6 x86_64)
7
8	Revision Changes Path
9	1.1 dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch
10
11	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch?rev=1.1&view=markup
12	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch?rev=1.1&content-type=text/plain
13
14	Index: byacc-1.9-CVE-2008-3196.patch
15	===================================================================
16	Tue Jul 8 15:06:50 2008 UTC by otto
17
18	Fix an venerable bug: if we're reducing a rule that has an empty
19	right hand side and the yacc stackpointer is pointing at the very
20	end of the allocated stack, we end up accessing the stack out of
21	bounds by the implicit $$ = $1 action. Detected by my new malloc,
22	experienced by sturm@ on sparc64; ok deraadt@
23
24
25	Index: yacc-1.9.1/skeleton.c
26	===================================================================
27	--- yacc-1.9.1.orig/skeleton.c
28	+++ yacc-1.9.1/skeleton.c
29	@@ -18,6 +18,7 @@ char *banner[] =
30	"/static char yysccsid[] = \"from: @(#)yaccpar 1.9 (Berkeley) 02/21/93\";/",
31	"static char yyrcsid[] = \"$Id: byacc-1.9-CVE-2008-3196.patch,v 1.1 2008/10/04 18:57:31 rbu Exp $\";",
32	"#endif",
33	+ "#include <string.h>",
34	"#define YYBYACC 1",
35	"#define YYMAJOR 1",
36	"#define YYMINOR 9",
37	@@ -226,7 +227,10 @@ char *body[] =
38	" YYPREFIX, yystate, yyn, yyrule[yyn]);",
39	"#endif",
40	" yym = yylen[yyn];",
41	- " yyval = yyvsp[1-yym];",
42	+ " if (yym)",
43	+ " yyval = yyvsp[1-yym];",
44	+ " else",
45	+ " memset(&yyval, 0, sizeof yyval);",
46	" switch (yyn)",
47	" {",
48	0

Gentoo Archives: gentoo-commits