Summary: | <sys-devel/binutils-2.37_p1 : Multiple vulnerabilities (CVE-2021-{3530,3549}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceware.org/bugzilla/show_bug.cgi?id=27294 | ||
Whiteboard: | A3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 813762 | ||
Bug Blocks: |
Description
Sam James
2021-05-27 00:00:36 UTC
Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Which release is this in? $ git clone git://sourceware.org/git/binutils-gdb.git $ cd binutils-gdb $ git log binutils-2_36 --oneline | grep "PR27290, PR27293, PR27295" $ git log binutils-2_36_1 --oneline | grep "PR27290, PR27293, PR27295" $ git log master --oneline | grep "PR27290, PR27293, PR27295" 1cfcf3004e1 PR27290, PR27293, PR27295, various avr objdump fixes for convenience $ git format-patch 1cfcf3004e1~1..1cfcf3004e1 0001-PR27290-PR27293-PR27295-various-avr-objdump-fixes.patch * CVE-2021-3530 Description: "A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash." Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. CVE-2021-3530 A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash. https://bugzilla.redhat.com/show_bug.cgi?id=1956423 I assume this is https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99935 (which is fixed in binutils-2.37) CVE-2021-3549 An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability. https://sourceware.org/bugzilla/show_bug.cgi?id=27294 Fixed in binutils-2.37 Please cleanup. (In reply to John Helmert III from comment #13) > Please cleanup. Er, sorry, this is toolchain@ so please handle as necessary :) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53686a56f9eaa50e8f549c92578a181d590c812f commit 53686a56f9eaa50e8f549c92578a181d590c812f Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-10-10 22:20:12 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-10-10 22:20:55 +0000 package.mask: extend binutils mask to <2.37_p1 Bug: https://bugs.gentoo.org/792342 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> profiles/package.mask | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) No cleanup, but all affected are masked now. GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1d8cf0a3e06fbdd4dd76f179edfa141b674a0968 commit 1d8cf0a3e06fbdd4dd76f179edfa141b674a0968 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 21:47:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 21:48:21 +0000 [ GLSA 202208-30 ] GNU Binutils: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/778545 Bug: https://bugs.gentoo.org/792342 Bug: https://bugs.gentoo.org/829304 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-30.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) GLSA done, all done. |