Comment 1 Raphael Marichez (Falco) (RETIRED) 2006-05-23 07:23:17 UTC

" may allow arbitrary code execution" as for Secunia. So A1, critical, unless i'm wrong and there's no code execution vulnerability.

Comment 2 SpanKY 2006-05-23 11:37:21 UTC

we dont treat toolchain issues as security issues

what is the bugzilla # in the sourceware bugzilla for this ?

Comment 3 Raphael Marichez (Falco) (RETIRED) 2006-05-23 11:51:05 UTC

(In reply to comment #2)
> we dont treat toolchain issues as security issues
> 

didn't know

> what is the bugzilla # in the sourceware bugzilla for this ?
> 

http://sourceware.org/bugzilla/show_bug.cgi?id=2584


so what do we do about that bug ?

Comment 4 Raphael Marichez (Falco) (RETIRED) 2006-05-25 07:21:36 UTC

Furthermore, i think it's A2 and not critical since the issue can only occur by enticing an user to manipulate a specially crafted file.

Comment 5 Thierry Carrez (RETIRED) 2006-05-25 11:11:43 UTC

CVE-2006-2362 

Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.

Exploitation path is a little unilikely but this is still a vulnerability.
vapier : this needs to be fixed; if you think not, please elaborate.

Comment 6 SpanKY 2006-05-25 14:24:14 UTC

i never said it shouldnt be fixed, i said this isnt GLSA material

we ourselves have found many many ways to crash strings/bfd/binutils/etc...

Comment 7 SpanKY 2006-05-25 15:11:24 UTC

so this patch doesnt apply cleanly to 2.16.1 and 2.17 is right around the corner

so we can sit and wait for 2.17 (which includes the patch) or i can spend sometime trying to backport it

i'd prefer to just go with 2.17 myself :p

Comment 8 SpanKY 2006-05-25 15:11:54 UTC

Created attachment 87508 [details, diff]
binutils-PR2584.patch

Comment 9 Thierry Carrez (RETIRED) 2006-05-26 03:58:53 UTC

lets wait for 2.17

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-10 00:25:07 UTC

Ubuntu just released USN-292-1 fixing this one.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-30 09:00:04 UTC

toolchain, please advise and patch as necessary.

Comment 12 SpanKY 2006-06-30 15:46:52 UTC

2.17 is in the tree ...

personally, i dont think this is worth pushing into stable

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-01 00:13:50 UTC

Thx Mike, changing component to default configs.

Comment 14 Raphael Marichez (Falco) (RETIRED) 2006-09-07 10:57:08 UTC

Hi,

do we need to wait until 2.17 to be stabilized everywhere before closing this bug ?

Comment 15 Raphael Marichez (Falco) (RETIRED) 2007-05-08 19:31:12 UTC

still waiting...

Comment 16 SpanKY 2007-06-24 18:45:35 UTC

moving 2.17 to stable is fine now

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) 2007-06-24 22:17:27 UTC

amd64 and x86 please test and mark 2.17 stable.

Comment 18 Christoph Mende (RETIRED) 2007-06-24 22:29:41 UTC

amd64 done

Comment 19 Christian Faulhammer (RETIRED) 2007-06-25 07:02:22 UTC

Created attachment 123022 [details]
build.log

Tests fail...is this ok?

Comment 20 SpanKY 2007-06-25 07:23:17 UTC

if the test failures match Bug 144419, then yes you can ignore them for they are simple false positives

Comment 21 Christian Faulhammer (RETIRED) 2007-06-25 07:43:15 UTC

x86 stable, last arch, chaning status to glsa?

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) 2007-06-25 08:53:33 UTC

We don't usually issue GLSAs for default config issues. So unless anyone complains I just think we should close this one as fixed.

Comment 23 SpanKY 2007-06-25 15:10:01 UTC

i'd agree, no glsa

Comment 24 Matt Drew (RETIRED) 2007-07-02 21:04:56 UTC

I vote no glsa, lets close it.

Comment 25 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 09:46:05 UTC

Closing with NO GLSA.