From ${URL} : The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=21670 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04e15b4a9462cb1ae819e878a6009829aab8020b @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit cf5003fe2fc3b45f366d0a3c6fdf834ed9d54321 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Aug 1 19:05:14 2017 -0500 sys-devel/binutils: version bump to 2.28.1, patchset 1.0 Includes fixes for bugs #622036 #622500 #622886 #624524 #624702 Package-Manager: Portage-2.3.6, Repoman-2.3.3
@Maintainers could you please confirm if we need to stabilize or should we proceed with cleanup? Thanks Gentoo Security Padawan ChrisADR
All vulnerable versions are masked. No cleanup (toolchain package).
This issue was resolved and addressed in GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02 by GLSA coordinator Aaron Bauman (b-man).