CVE-2017-8398 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8398): dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash. Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
2.27: could not backport patch 2.28: Fixed in 2.28-r1 commit 2f7eb9e2fe785abde175d4f7a041fa64d330fdf7 (HEAD -> master, origin/master, origin/HEAD) Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Jun 6 17:04:54 2017 -0500 sys-devel/binutils: 2.28 - multiple security fixes, bug #618514, bug #618516, bug #618520, bug #618826 CVE-2017-9041 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 CVE-2017-9040, CVE-2017-9042 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf CVE-2017-9039 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5 CVE-2017-9038 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d CVE-2017-8421 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb CVE-2017-8396, CVE-2017-8397 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab CVE-2017-8395 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3 CVE-2017-8394 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2 CVE-2017-8393 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 CVE-2017-8398 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 CVE-2017-7614 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8 [1] https://bugs.gentoo.org/show_bug.cgi?id=618514 [2] https://bugs.gentoo.org/show_bug.cgi?id=618516 [3] https://bugs.gentoo.org/show_bug.cgi?id=618820 [4] https://bugs.gentoo.org/show_bug.cgi?id=618826 [5] https://bugs.gentoo.org/show_bug.cgi?id=618006 Package-Manager: Portage-2.3.6, Repoman-2.3.2
All vulnerable versions are masked. No cleanup (toolchain package).
This issue was resolved and addressed in GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02 by GLSA coordinator Aaron Bauman (b-man).