DSA-3653-2 flex -- flexID: oval:org.secpod.oval:def:602606 | Date: (C)2016-09-12 (M)2023-12-07 |
Class: PATCH | Family: unix |
It was reported that the update for flex as released in DSA-3653-1 did not completely address CVE-2016-6354 as intended due to problems in the patch handling and regenerated files during the build. Additionally a regression was introduced, causing new warnings when compiling flex generated code. Updated packages are now available to address these problems. For reference, the relevant part of the original advisory text follows. Alexander Sulfrian discovered a buffer overflow in the yy_get_next_buffer function generated by Flex, which may result in denial of service and potentially the execution of code if operating on data from untrusted sources. Affected applications need to be rebuild.