* Collin Funk: > Xudong Cao <[email protected]> writes: > >> ## Vulnerability Confirmation >> >> This vulnerability has been confirmed through: >> - GDB stack trace analysis showing consistent crash location >> - Multiple POC files triggering identical assertion failures >> - Reproducible crash across different input variations >> >> The assertion failure demonstrates a fundamental buffer management issue in >> Bison's core processing logic, making this a legitimate security >> vulnerability affecting program reliability. > > I don't see the need to fear a malicious user running 'bison' on my > machine and causing a failed assertion. Surely they would do something > more productive with their time. Maybe steal my GPG or SSH private key? > > I found that this was assigned a CVE [1].
> [1] https://nvd.nist.gov/vuln/detail/CVE-2025-8733 This is also <https://nvd.nist.gov/vuln/detail/CVE-2025-8734>. Has anyone been able to make the reproducer work? The file uploaded to Google drive may have been garbled, not sure. (We've reached out internally to Red Hat Product Security because Red Hat currently publishes a statement that the issues were reproduced on bison 3.8.2, but not on bison 3.7.4. I don't know how this conclusion was reached based on the publicly available information.) Thanks, Florian
