[Nasm-users] Re: Sorta announce - Nasm 0.98.39 sorta available

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Now available at SourceForge:

http://www.sf.net/projects/nasm

Please upgrade!

Frank Kotler wrote:
> 
> Nasm 0.98.39 is available - but not on SourceForge quite
> yet... they're having some "transitional difficulties" at
> the moment. We'll get copies up there as soon as the release
> system seems stable - couple days, probably.
> 
> Meanwhile:
> 
> http://www.kernel.org/pub/software/devel/nasm/
> 
> The "binaries" are not complete, but win32, djgpp, and Linux
> are available, plus, of course, a source package. 0.98.39
> goes from C89 to C99, which apparently is causing some build
> problems with some compilers. If you need/want to build Nasm
> from source, and you can't figure it out, holler for help.
> If you *can* figure it out, *post* some help, please.
> 
> For djgpp, you need the "beta 2.04" version, for example
> (Thanks to Bart Oldeman for that tip). The Makefile created
> by "configure" in Linux (and rdoff/Makefile) needs "std=c99"
> removed. (Mkfiles/Makefile.unx seems okay) I hope we'll have
> a "cleanup release" out sooner than the year and a half that
> this release took, but no promises.
> 
> I *really* hope that everyone will upgrade to 0.98.39 as
> soon as possible! Why? Well... a "Serious Problem" has been
> uncovered in Nasm - all versions prior to 0.98.39 (maybe not
> *really* early versions). We all know enough  not to run
> code from untrusted sources (I hope!). Turns out you're
> vulnerable even *assembling* malicious source with Nasm.
> Yes, a <line-noise> buffer overflow (potentially
> exploitable). Betov gets "I told you so" rights. Not
> actually *caused* by using C, but C provided the hole for us
> to fall into. I am deeply embarrassed that this remained
> undiscovered so long!
> 
> The vulnerability was discovered by Jonathan Rockway (a
> student - since Nasm was written by a student, this is
> perhaps appropriate), reported to us by D.J.Bernstein (his
> instructor). Fixed by Ed Beroset. Thanks to all involved!
> 
> Other than that, the changes aren't too exciting. Nice new
> rdoff stuff from Yuri Zaporogets, for the few who use rdoff.
> Otherwise minor cleanups not worth mentioning...
> 
> Please upgrade and get rid of that buffer overflow! If you
> can't/won't upgrade, please *examine* any source code from
> less-than-fully-trusted sources for anything that looks
> "weird". AFAIK, no one is targetting Nasm, but... we don't
> need this crap!
> 
> Best,
> Frank
> 
> ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption =----