527616 – sys-devel/binutils: Multiple vulnerabilities (CVE-2014-{8484,8485,8501,8502,8503,8504})

Bug 527616 - sys-devel/binutils: Multiple vulnerabilities (CVE-2014-{8484,8485,8501,8502,8503,8504})

Summary: sys-devel/binutils: Multiple vulnerabilities (CVE-2014-{8484,8485,8501,8502,8...

Status:	RESOLVED DUPLICATE of bug 526626

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://sourceware.org/bugzilla/show_...
Whiteboard:	A3 [upstream/ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2014-10-31 13:50 UTC by Hanno Böck
Modified:	2016-11-25 00:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2014-10-31 13:50:26 UTC

Multiple memory corruption issues have been found in libbfd which is part of binutils. These may allow attacks if some of the tools like objdump, nm or strings are used on untrusted inputs.

These issues have been found by multiple people through fuzzing and if I haven't lost oversight six CVEs have been assigned (I wouldn't be surprised if more issues pop up and I encourage everyone to look for them).

Upstream bug reports:
https://sourceware.org/bugzilla/show_bug.cgi?id=17510
https://sourceware.org/bugzilla/show_bug.cgi?id=17512

All of these are fixed in the upcoming binutils 2.25 branch.

Comment 1 SpanKY gentoo-dev

2014-11-09 00:20:52 UTC

still largely a non-issue

*** This bug has been marked as a duplicate of bug 526626 ***

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-25 00:20:06 UTC

Releasing CVE alias to use it in the original bug.