Source: zydis Version: 3.1.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for zydis. CVE-2021-41253[0]: | Zydis is an x86/x86-64 disassembler library. Users of Zydis versions | v3.2.0 and older that use the string functions provided in `zycore` in | order to append untrusted user data to the formatter buffer within | their custom formatter hooks can run into heap buffer overflows. Older | versions of Zydis failed to properly initialize the string object | within the formatter buffer, forgetting to initialize a few fields, | leaving their value to chance. This could then in turn cause zycore | functions like `ZyanStringAppend` to make incorrect calculations for | the new target size, resulting in heap memory corruption. This does | not affect the regular uncustomized Zydis formatter, because Zydis | internally doesn't use the string functions in zycore that act upon | these fields. However, because the zycore string functions are the | intended way to work with the formatter buffer for users of the | library that wish to extend the formatter, we still consider this to | be a vulnerability in Zydis. This bug is patched starting in version | 3.2.1. As a workaround, users may refrain from using zycore string | functions in their formatter hooks until updating to a patched | version. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41253 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41253 [1] https://github.com/zyantific/zydis/security/advisories/GHSA-q42v-hv86-3m4g Regards, Salvatore