Summary: | <sys-devel/binutils-2.34: multiple vulnerabilities (CVE-2020-{35493,35494,35495,35496,35507}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-01-06 20:08:56 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35a10404afc3d5e0db2ef6a052bf82ca30e32094 commit 35a10404afc3d5e0db2ef6a052bf82ca30e32094 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-01-23 18:44:26 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-01-23 18:45:12 +0000 package.mask: Extend binutils mask Bug: https://bugs.gentoo.org/764170 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> profiles/package.mask | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) All affected packages masked. No cleanup (toolchain). Please proceed. (In reply to Andreas K. Hüttel from comment #2) > All affected packages masked. No cleanup (toolchain). Please proceed. Thanks! GLSA request filed. This issue was resolved and addressed in GLSA 202107-24 at https://security.gentoo.org/glsa/202107-24 by GLSA coordinator John Helmert III (ajak). CVE-2020-35342 (https://sourceware.org/bugzilla/show_bug.cgi?id=25319): GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak. CVE-2020-21490 (https://sourceware.org/bugzilla/show_bug.cgi?id=25249): An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled. CVE-2020-19724 (https://sourceware.org/bugzilla/show_bug.cgi?id=25362): A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command. |