Bug 134112 - [binutils] buffer overflow in bfd/tekhex.c (CVE-2006-2362)
Bug#: 134112 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: falco@gentoo.org
Component: Default Configs
URL:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2362
Summary: [binutils] buffer overflow in bfd/tekhex.c (CVE-2006-2362)
Keywords:  
Status Whiteboard: [noglsa] Falco
Opened: 2006-05-23 07:21 0000
Description:   Opened: 2006-05-23 07:21 0000 
hi,

we seem to be vulnerable (at least, 2.16.1 is).

patch is here :
http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view

please toolchain-team, provide a new ebuild containing the fix.

------- Comment #1 From Raphael Marichez 2006-05-23 07:23:17 0000 ------- 
" may allow arbitrary code execution" as for Secunia. So A1, critical, unless
i'm wrong and there's no code execution vulnerability.

------- Comment #2 From SpanKY 2006-05-23 11:37:21 0000 ------- 
we dont treat toolchain issues as security issues

what is the bugzilla # in the sourceware bugzilla for this ?

------- Comment #3 From Raphael Marichez 2006-05-23 11:51:05 0000 ------- 
(In reply to comment #2)
> we dont treat toolchain issues as security issues
> 

didn't know

> what is the bugzilla # in the sourceware bugzilla for this ?
> 

http://sourceware.org/bugzilla/show_bug.cgi?id=2584


so what do we do about that bug ?

------- Comment #4 From Raphael Marichez 2006-05-25 07:21:36 0000 ------- 
Furthermore, i think it's A2 and not critical since the issue can only occur by
enticing an user to manipulate a specially crafted file.

------- Comment #5 From Thierry Carrez (RETIRED) 2006-05-25 11:11:43 0000 ------- 
CVE-2006-2362 

Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU
Binutils before 20060423, as used by GNU strings, allows context-dependent
attackers to cause a denial of service (application crash) and possibly execute
arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record
in which the length character is not a valid hexadecimal character.

Exploitation path is a little unilikely but this is still a vulnerability.
vapier : this needs to be fixed; if you think not, please elaborate.

------- Comment #6 From SpanKY 2006-05-25 14:24:14 0000 ------- 
i never said it shouldnt be fixed, i said this isnt GLSA material

we ourselves have found many many ways to crash strings/bfd/binutils/etc...

------- Comment #7 From SpanKY 2006-05-25 15:11:24 0000 ------- 
so this patch doesnt apply cleanly to 2.16.1 and 2.17 is right around the
corner

so we can sit and wait for 2.17 (which includes the patch) or i can spend
sometime trying to backport it

i'd prefer to just go with 2.17 myself :p

------- Comment #8 From SpanKY 2006-05-25 15:11:54 0000 ------- 
Created an attachment (id=87508) [details]
binutils-PR2584.patch

------- Comment #9 From Thierry Carrez (RETIRED) 2006-05-26 03:58:53 0000 ------- 
lets wait for 2.17

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-06-10 00:25:07 0000 ------- 
Ubuntu just released USN-292-1 fixing this one.

------- Comment #11 From Sune Kloppenborg Jeppesen 2006-06-30 09:00:04 0000 ------- 
toolchain, please advise and patch as necessary.

------- Comment #12 From SpanKY 2006-06-30 15:46:52 0000 ------- 
2.17 is in the tree ...

personally, i dont think this is worth pushing into stable

------- Comment #13 From Sune Kloppenborg Jeppesen 2006-07-01 00:13:50 0000 ------- 
Thx Mike, changing component to default configs.

------- Comment #14 From Raphael Marichez 2006-09-07 10:57:08 0000 ------- 
Hi,

do we need to wait until 2.17 to be stabilized everywhere before closing this
bug ?

------- Comment #15 From Raphael Marichez 2007-05-08 19:31:12 0000 ------- 
still waiting...

------- Comment #16 From SpanKY 2007-06-24 18:45:35 0000 ------- 
moving 2.17 to stable is fine now

------- Comment #17 From Sune Kloppenborg Jeppesen 2007-06-24 22:17:27 0000 ------- 
amd64 and x86 please test and mark 2.17 stable.

------- Comment #18 From Christoph Mende 2007-06-24 22:29:41 0000 ------- 
amd64 done

------- Comment #19 From Christian Faulhammer 2007-06-25 07:02:22 0000 ------- 
Created an attachment (id=123022) [details]
build.log

Tests fail...is this ok?

------- Comment #20 From SpanKY 2007-06-25 07:23:17 0000 ------- 
if the test failures match Bug 144419, then yes you can ignore them for they
are simple false positives

------- Comment #21 From Christian Faulhammer 2007-06-25 07:43:15 0000 ------- 
x86 stable, last arch, chaning status to glsa?

------- Comment #22 From Sune Kloppenborg Jeppesen 2007-06-25 08:53:33 0000 ------- 
We don't usually issue GLSAs for default config issues. So unless anyone
complains I just think we should close this one as fixed.

------- Comment #23 From SpanKY 2007-06-25 15:10:01 0000 ------- 
i'd agree, no glsa

------- Comment #24 From Matt Drew 2007-07-02 21:04:56 0000 ------- 
I vote no glsa, lets close it.

------- Comment #25 From Sune Kloppenborg Jeppesen 2007-07-15 09:46:05 0000 ------- 
Closing with NO GLSA.