Xudong Cao <[email protected]> writes: > ## Vulnerability Confirmation > > This vulnerability has been confirmed through: > - GDB stack trace analysis showing consistent crash location > - Multiple POC files triggering identical assertion failures > - Reproducible crash across different input variations > > The assertion failure demonstrates a fundamental buffer management issue in > Bison's core processing logic, making this a legitimate security > vulnerability affecting program reliability.
I don't see the need to fear a malicious user running 'bison' on my machine and causing a failed assertion. Surely they would do something more productive with their time. Maybe steal my GPG or SSH private key? I found that this was assigned a CVE [1]. The repetitive format of this users posts make me think it is some AI to farm CVE credits. Reasoning written below... See another report report written to the wrong place [2] [3]. One written to GNU cflow [4] [5]. Another bug written to the wrong project [6]. A bug that can't be replicated [7]. Another bug that can't be replicated [8]. Another written to the wrong project [9]. Another written to the wrong project [10]. Another written to the wrong project [11]. Duplicate bug report [12] [13] [14]. Another one fitting the pattern [15]. Of all of the listed bugs, ignoring the previously mentioned problems, use the same structured format, which looks like stereotypical ChatGPT format to me, e.g. using many bullet points. The processes all involve running some malicious input on a program with address sanitizer enabled much of the time. Certainly things that should be fixed, but worth CVE reports? Sent to the wrong projects sometimes at that? It reminds me of the recent GNU tar CVE, that was not reported to anyone until someone else alerted the list (thanks to them for noticing) [16]. I also smelled AI with all the bullet points in that article [17]. But it turns out they just copied a situation warned about in the manual [18]! Collin [1] https://nvd.nist.gov/vuln/detail/CVE-2025-8733 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-8746 [3] https://github.com/appneta/tcpreplay/issues/957 [4] https://lists.gnu.org/archive/html/bug-cflow/2025-07/msg00001.html [5] https://nvd.nist.gov/vuln/detail/CVE-2025-8746 [6] https://sourceware.org/bugzilla/show_bug.cgi?id=33027 [7] https://sourceware.org/bugzilla/show_bug.cgi?id=33003 [8] https://sourceware.org/bugzilla/show_bug.cgi?id=33004 [9] https://sourceware.org/bugzilla/show_bug.cgi?id=33028 [10] https://sourceware.org/bugzilla/show_bug.cgi?id=33026 [11] https://sourceware.org/bugzilla/show_bug.cgi?id=33022 [12] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120541 [13] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120540 [14] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120538 [15] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120537 [16] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00000.html [17] https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md [18] https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
