Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629094 (CVE-2017-13710) - <sys-devel/binutils-2.30 : denial of service (NULL pointer dereference and application crash) (CVE-2017-13710)
Summary: <sys-devel/binutils-2.30 : denial of service (NULL pointer dereference and ap...
Status: RESOLVED FIXED
Alias: CVE-2017-13710
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://web.nvd.nist.gov/view/vuln/de...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on: binutils-2.30-stable
Blocks:
  Show dependency tree
 
Reported: 2017-08-27 18:57 UTC by D'juan McDonald (domhnall)
Modified: 2018-10-30 10:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-27 18:57:29 UTC
From ${URL}:

 
The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.

CVE Detahttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13710

Upstream Patch:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2017-10-13 18:31:24 UTC
2.29, 2.29.1 affected

Fixed in git master, patch does not apply to 2.29 branch
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2018-04-29 16:22:04 UTC
Fixed upstream in master and 2.30 branch, will be in Gentoo 2.30 patchlevel 2
and later.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2018-04-29 16:24:23 UTC
(In reply to Andreas K. Hüttel from comment #2)
> Fixed upstream in master and 2.30 branch, will be in Gentoo 2.30 patchlevel 2
> and later.

Actually, is alrady fixed in sys-devel/binutils-2.30
Comment 4 D'juan McDonald (domhnall) 2018-10-26 10:59:48 UTC
@maintainer(s), are we able to proceed here? not sure if GLSA is still needed as upgrade path already established for 2.30-r4 fulfilled. 

also, removing blocked and stable from whiteboard to reflect current state.