I didn't investigate if our current stable is affected. Details at $URL. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
1) Did you test the unstable and masked versions. 2) I'm not sure the consequences off those two NULL pointers derefs are very serious.
2.27: could not backport patch, vulnerability unknown 2.28: Fixed in 2.28-r1 commit 2f7eb9e2fe785abde175d4f7a041fa64d330fdf7 (HEAD -> master, origin/master, origin/HEAD) Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Jun 6 17:04:54 2017 -0500 sys-devel/binutils: 2.28 - multiple security fixes, bug #618514, bug #618516, bug #618520, bug #618826 CVE-2017-9041 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 CVE-2017-9040, CVE-2017-9042 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf CVE-2017-9039 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5 CVE-2017-9038 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d CVE-2017-8421 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb CVE-2017-8396, CVE-2017-8397 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab CVE-2017-8395 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3 CVE-2017-8394 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2 CVE-2017-8393 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 CVE-2017-8398 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 CVE-2017-7614 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8 [1] https://bugs.gentoo.org/show_bug.cgi?id=618514 [2] https://bugs.gentoo.org/show_bug.cgi?id=618516 [3] https://bugs.gentoo.org/show_bug.cgi?id=618820 [4] https://bugs.gentoo.org/show_bug.cgi?id=618826 [5] https://bugs.gentoo.org/show_bug.cgi?id=618006 Package-Manager: Portage-2.3.6, Repoman-2.3.2
All vulnerable versions are masked. No cleanup (toolchain package).
This issue was resolved and addressed in GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02 by GLSA coordinator Aaron Bauman (b-man).