Executive Summary
| Summary | |
|---|---|
| Title | flex vulnerability |
| Informations | |||
|---|---|---|---|
| Name | USN-260-1 | First vendor Publication | 2006-03-06 |
| Vendor | Ubuntu | Last vendor Modification | 2006-03-06 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: flex gpc-2.1-3.3 gpc-2.1-3.4 The problem can be corrected by upgrading the affected package to the following versions: Ubuntu 4.10: flex: 2.5.31-26ubuntu1.2 Ubuntu 5.04: flex: 2.5.31-31ubuntu0.5.04.1 Ubuntu 5.10: flex: 2.5.31-31ubuntu0.5.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Chris Moore discovered a buffer overflow in a particular class of lexicographical scanners generated by flex. This could be exploited to execute arbitrary code by processing specially crafted user-defined input to an application that uses a flex scanner for parsing. This flaw particularly affects gpc, the GNU Pascal Compiler. A potentially remote attacker could exploit this by tricking an user or automated system into compiling a specially crafted Pascal source code file. Please note that gpc is not officially supported in Ubuntu (it is in the 'universe' component of the archive). However, this affects you if you use a customized version built from the gcc-3.3 or gcc-3.4 source package (which is supported). |
Original Source
| Url : http://www.ubuntu.com/usn/USN-260-1 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200603-07 (flex) File : nvt/glsa_200603_07.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1020-1 (flex) File : nvt/deb_1020_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 23440 | Fast Lexical Analyzer Generator (Flex) Multiple Lexicographical Scanners Over... Fast Lexical Analyzer Generator (Flex) contains a flaw that may allow arbitrary code execution. The issue is due to a buffer overflow in a particular class of lexicographical scanners generated by flex. It is unclear if there are additional vulnerabilities. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1020.nasl - Type : ACT_GATHER_INFO |
| 2006-03-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200603-07.nasl - Type : ACT_GATHER_INFO |
| 2006-03-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-260-1.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:03:20 |
|
