The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of flex: buffer overflow via yy_get_next_buffer

Synthesis of the vulnerability

An attacker can generate a buffer overflow via yy_get_next_buffer of flex, in order to trigger a denial of service, and possibly to run code.
Severity of this computer vulnerability: 2/4.
Creation date: 09/08/2016.
Références of this announce: CERTFR-2017-AVI-134, CVE-2016-6354, DSA-3653-1, DSA-3653-2, FEDORA-2016-8d79ade826, FEDORA-2016-c9ad9582f7, FEDORA-2017-31c64a0bbf, FEDORA-2017-82265ed89e, FEDORA-2017-87e23bcc34, MFSA-2017-10, MFSA-2017-11, MFSA-2017-12, MFSA-2017-13, openSUSE-SU-2016:2167-1, openSUSE-SU-2016:2182-1, openSUSE-SU-2016:2253-1, openSUSE-SU-2016:2254-1, openSUSE-SU-2016:2378-1, openSUSE-SU-2016:2450-1, openSUSE-SU-2017:0356-1, SSA:2017-112-01, VIGILANCE-VUL-20338.

Description of the vulnerability

An attacker can generate a buffer overflow via yy_get_next_buffer of flex, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

This threat announce impacts software or systems such as Debian, Fedora, Firefox, Thunderbird, openSUSE, openSUSE Leap, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this cybersecurity alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this security alert.

Solutions for this threat

Debian 8: new flex packages.
New packages are available:
  Debian 8: flex 2.5.39-8+deb8u2

Fedora 25: new thunderbird packages.
New packages are available:
  Fedora 25: thunderbird 52.1.0-1.fc25

Fedora: new firefox packages.
New packages are available:
  Fedora 24: firefox 53.0-2.fc24
  Fedora 25: firefox 53.0-2.fc25

Fedora: new flex packages.
New packages are available:
  Fedora 23: flex 2.6.0-2.fc23
  Fedora 24: flex 2.6.0-2.fc24

Firefox: version 45.9.
The version 45.9 is fixed:
  https://www.mozilla.org/en-US/firefox/new/

Firefox: version 52.1.
The version 52.1 is fixed:
  https://www.mozilla.org/en-US/firefox/new/

Firefox: version 53.
The version 53 is fixed:
  https://www.mozilla.org/en-US/firefox/new/

Mozilla Thunderbird: version 52.1.
The version 52.1 is fixed:
  https://www.mozilla.org/en-US/thunderbird/all/

openSUSE Leap 42.1: new flex packages.
New packages are available:
  openSUSE Leap 42.1: flex 2.5.37-11.1

openSUSE Leap: new seamonkey packages.
New packages are available:
  openSUSE Leap 42.1: seamonkey 2.46-9.2
  openSUSE Leap 42.2: seamonkey 2.46-9.2

openSUSE: new MozillaFirefox packages.
New packages are available:
  openSUSE 13.1: MozillaFirefox 48.0.1-122.3, mozilla-nss 3.24-88.1
  openSUSE 13.2: MozillaFirefox 48.0.1-77.4, mozilla-nss 3.24-43.1
  openSUSE Leap 42.1: MozillaFirefox 48.0.1-30.6, mozilla-nss 3.24-26.2

openSUSE: new MozillaThunderbird packages.
New packages are available:
  openSUSE 13.1: MozillaThunderbird 45.3.0-70.86.1
  openSUSE 13.2: MozillaThunderbird 45.3.0-46.2
  openSUSE Leap 42.1: MozillaThunderbird 45.3.0-19.2

Slackware: new mozilla-firefox 45.9 packages.
New packages are available:
  Slackware 14.1: mozilla-firefox 45.9.0esr-*-1_slack14.1

SUSE LE 12: new MozillaThunderbird packages.
New packages are available:
  SUSE LE 12 RTM/SP1: MozillaThunderbird 45.3.0-9.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability alert. The technology watch team tracks security threats targeting the computer system.