Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 527616

Summary: sys-devel/binutils: Multiple vulnerabilities (CVE-2014-{8484,8485,8501,8502,8503,8504})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=17512
Whiteboard: A3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2014-10-31 13:50:26 UTC 
Multiple memory corruption issues have been found in libbfd which is part of binutils. These may allow attacks if some of the tools like objdump, nm or strings are used on untrusted inputs.

These issues have been found by multiple people through fuzzing and if I haven't lost oversight six CVEs have been assigned (I wouldn't be surprised if more issues pop up and I encourage everyone to look for them).

Upstream bug reports:
https://sourceware.org/bugzilla/show_bug.cgi?id=17510
https://sourceware.org/bugzilla/show_bug.cgi?id=17512

All of these are fixed in the upcoming binutils 2.25 branch.
Comment 1 SpanKY gentoo-dev 2014-11-09 00:20:52 UTC 
still largely a non-issue

*** This bug has been marked as a duplicate of bug 526626 ***
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 00:20:06 UTC 
Releasing CVE alias to use it in the original bug.