621130 – (CVE-2017-6965, CVE-2017-6966, CVE-2017-6969) <sys-devel/binutils-2.28-r2: Multiple vulnerabilities CVE-2017-6965, CVE-2017-6966, CVE-2017-6969

Bug 621130 (CVE-2017-6965, CVE-2017-6966, CVE-2017-6969) - <sys-devel/binutils-2.28-r2: Multiple vulnerabilities CVE-2017-6965, CVE-2017-6966, CVE-2017-6969

Summary: <sys-devel/binutils-2.28-r2: Multiple vulnerabilities CVE-2017-6965, CVE-2017...

Status:	RESOLVED FIXED

Alias:	CVE-2017-6965, CVE-2017-6966, CVE-2017-6969

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:	622500
Blocks:	CVE-2017-7614 CVE-2017-8398 CVE-2017-8392, CVE-2017-8393, CVE-2017-8394, CVE-2017-8395, CVE-2017-8396, CVE-2017-8397 CVE-2017-8421 CVE-2017-9038, CVE-2017-9039, CVE-2017-9040, CVE-2017-9041, CVE-2017-9042
	Show dependency tree

Reported:	2017-06-07 13:35 UTC by Andrey Ovcharov
Modified:	2017-09-17 15:31 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	sys-devel/binutils-2.28-r2 sys-libs/binutils-libs-2.28-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
binutils-CVE-2017-6965.patch (binutils-CVE-2017-6965.patch,4.25 KB, patch) 2017-06-07 13:35 UTC, Andrey Ovcharov	no flags	Details \| Diff
binutils-CVE-2017-6966.patch (binutils-CVE-2017-6966.patch,7.75 KB, patch) 2017-06-07 13:35 UTC, Andrey Ovcharov	no flags	Details \| Diff
binutils-CVE-2017-6969.patch (binutils-CVE-2017-6969.patch,1.55 KB, patch) 2017-06-07 13:36 UTC, Andrey Ovcharov	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrey Ovcharov 2017-06-07 13:35:30 UTC

Created attachment 475460 [details, diff]
binutils-CVE-2017-6965.patch

sys-devel/binutils-2.28-r1: Multiple vulnerabilities CVE-2017-6965, CVE-2017-6966, CVE-2017-6969

Comment 1 Andrey Ovcharov 2017-06-07 13:35:57 UTC

Created attachment 475462 [details, diff]
binutils-CVE-2017-6966.patch

Comment 2 Andrey Ovcharov 2017-06-07 13:36:17 UTC

Created attachment 475464 [details, diff]
binutils-CVE-2017-6969.patch

Comment 3 Matthias Maier gentoo-dev

2017-06-07 14:24:06 UTC

Security please assess rating.


CVE-2017-6965:
  https://nvd.nist.gov/vuln/detail/CVE-2017-6965
  https://sourceware.org/bugzilla/show_bug.cgi?id=21137
  https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493

CVE-2017-6966:
  https://nvd.nist.gov/vuln/detail/CVE-2017-6966
  https://sourceware.org/bugzilla/show_bug.cgi?id=21139
  https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9

CVE-2017-6969
  https://nvd.nist.gov/vuln/detail/CVE-2017-6969
  https://sourceware.org/bugzilla/show_bug.cgi?id=21156
  https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456
  https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14

Comment 4 Matthias Maier gentoo-dev

2017-06-07 14:48:57 UTC

commit 3e46392cbe2fa4b78c9d47f611c526e62dc88dac (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 7 09:46:44 2017 -0500

    sys-devel/binutils: 2.28 - multiple security fixes, bug #621130
    
    CVE-2017-6969
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14
    
    CVE-2017-6966
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9
    
    CVE-2017-6965
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493
    
    [1] https://bugs.gentoo.org/show_bug.cgi?id=621130
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

Comment 5 Matthias Maier gentoo-dev

2017-06-11 13:40:33 UTC

Arches, please test and mark stable

  sys-devel/binutils-2.28-r2
  sys-libs/binutils-libs-2.28-r1

Comment 6 Agostino Sarubbo gentoo-dev

2017-06-12 12:42:14 UTC

amd64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-06-12 12:55:10 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2017-06-13 12:35:24 UTC

ppc64 stable

Comment 9 Markus Meier gentoo-dev

2017-06-13 18:23:22 UTC

arm stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2017-06-20 15:02:59 UTC

Stable on alpha.

Comment 11 Agostino Sarubbo gentoo-dev

2017-06-21 12:03:31 UTC

ppc stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2017-06-21 21:56:20 UTC

ia64 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2017-06-23 07:49:22 UTC

reverted ia64 back to ~ia64 as binutils-2.28-r2 fails to build gcc: bug #622500

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2017-07-15 18:31:05 UTC

dropping ia64 as bug #622500 will require sys-devel/binutils recut

Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-19 13:13:51 UTC

Arches please finish stabilizing hppa. 


Gentoo Security Padawan 
ChrisADR

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2017-09-10 22:18:08 UTC

sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9

Comment 17 Andreas K. Hüttel archtester

2017-09-15 18:59:21 UTC

All vulnerable versions are masked. No cleanup (toolchain package).

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2017-09-17 15:31:49 UTC

This issue was resolved and addressed in
 GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02
by GLSA coordinator Aaron Bauman (b-man).