Your submission was sent successfully! Close

USN-260-1: flex vulnerability

07 March 2006

flex vulnerability



Chris Moore discovered a buffer overflow in a particular class of
lexicographical scanners generated by flex. This could be exploited to
execute arbitrary code by processing specially crafted user-defined
input to an application that uses a flex scanner for parsing.

This flaw particularly affects gpc, the GNU Pascal Compiler. A
potentially remote attacker could exploit this by tricking an user or
automated system into compiling a specially crafted Pascal source code

Please note that gpc is not officially supported in Ubuntu (it is in
the 'universe' component of the archive). However, this affects you if
you use a customized version built from the gcc-3.3 or gcc-3.4 source
package (which is supported).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
  • flex -
  • gpc-2.1-3.4 -
  • gpc-2.1-3.3 -
Ubuntu 5.04
  • flex -
  • gpc-2.1-3.4 -
  • gpc-2.1-3.3 -
Ubuntu 4.10
  • flex -
  • gpc-2.1-3.4 -
  • gpc-2.1-3.3 -

In general, a standard system update will make all the necessary changes.