hi, we seem to be vulnerable (at least, 2.16.1 is). patch is here : http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view please toolchain-team, provide a new ebuild containing the fix.
" may allow arbitrary code execution" as for Secunia. So A1, critical, unless i'm wrong and there's no code execution vulnerability.
we dont treat toolchain issues as security issues what is the bugzilla # in the sourceware bugzilla for this ?
(In reply to comment #2) > we dont treat toolchain issues as security issues > didn't know > what is the bugzilla # in the sourceware bugzilla for this ? > http://sourceware.org/bugzilla/show_bug.cgi?id=2584 so what do we do about that bug ?
Furthermore, i think it's A2 and not critical since the issue can only occur by enticing an user to manipulate a specially crafted file.
CVE-2006-2362 Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character. Exploitation path is a little unilikely but this is still a vulnerability. vapier : this needs to be fixed; if you think not, please elaborate.
i never said it shouldnt be fixed, i said this isnt GLSA material we ourselves have found many many ways to crash strings/bfd/binutils/etc...
so this patch doesnt apply cleanly to 2.16.1 and 2.17 is right around the corner so we can sit and wait for 2.17 (which includes the patch) or i can spend sometime trying to backport it i'd prefer to just go with 2.17 myself :p
Created attachment 87508 [details, diff] binutils-PR2584.patch
lets wait for 2.17
Ubuntu just released USN-292-1 fixing this one.
toolchain, please advise and patch as necessary.
2.17 is in the tree ... personally, i dont think this is worth pushing into stable
Thx Mike, changing component to default configs.
Hi, do we need to wait until 2.17 to be stabilized everywhere before closing this bug ?
still waiting...
moving 2.17 to stable is fine now
amd64 and x86 please test and mark 2.17 stable.
amd64 done
Created attachment 123022 [details] build.log Tests fail...is this ok?
if the test failures match Bug 144419, then yes you can ignore them for they are simple false positives
x86 stable, last arch, chaning status to glsa?
We don't usually issue GLSAs for default config issues. So unless anyone complains I just think we should close this one as fixed.
i'd agree, no glsa
I vote no glsa, lets close it.
Closing with NO GLSA.