The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2017-9742 Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=21576 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e
Sorry everyone I have made a mistake. This vulnerability does not exist in the sys-libs/binutils-libs, it is actually located in the sys-devel/binutils package.
Security please assign rating. commit cf5003fe2fc3b45f366d0a3c6fdf834ed9d54321 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Aug 1 19:05:14 2017 -0500 sys-devel/binutils: version bump to 2.28.1, patchset 1.0 Includes fixes for bugs #622036 #622500 #622886 #624524 #624702 Package-Manager: Portage-2.3.6, Repoman-2.3.3
@arches, please stabilize.
Should also include binutils-libs?
ia64 stable
arm stable
The same bug is again the issue: https://bugs.gentoo.org/show_bug.cgi?id=612436 Is there anything that can be done to prevent it?
amd64 stable
alpha stable
ppc stable
ppc64 stable
I run into test failures while trying to stabilize on x86, see bug 629326. Please tell me how to proceed.
sparc stable (thanks to Dakon)
x86 stable
stable for hppa (thanks to Rolf Eike Beer) Last arch is done here!
@Maintainer(s): Please clean the vulnerable versions from the tree.
All vulnerable versions are masked. No cleanup (toolchain package).
This issue was resolved and addressed in GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02 by GLSA coordinator Aaron Bauman (b-man).