Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 761957 (CVE-2020-35448) - <sys-devel/binutils-2.35.2: heap buffer overflow (CVE-2020-35448)
Summary: <sys-devel/binutils-2.35.2: heap buffer overflow (CVE-2020-35448)
Alias: CVE-2020-35448
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on: 779805
Blocks: CVE-2019-9070, CVE-2019-9071, CVE-2019-9072, CVE-2019-9073, CVE-2019-9074, CVE-2019-9075, CVE-2019-9076, CVE-2019-9077, CVE-2020-16590, CVE-2020-16591, CVE-2020-16593, CVE-2020-16598, CVE-2020-19599
  Show dependency tree
Reported: 2020-12-27 18:44 UTC by John Helmert III
Modified: 2021-07-10 02:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-27 18:44:52 UTC
CVE-2020-35448 (

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.


I don't see this patch in any release.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2021-01-23 18:41:36 UTC
Cherry-picked for 2.35.1 patchset 3
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2021-04-17 23:09:05 UTC
(In reply to Andreas K. Hüttel from comment #1)
> Cherry-picked for 2.35.1 patchset 3

Also cherry-picked for 2.35.2 patchset 1, fixed in sys-devel/binutils/2.35.2
Comment 3 Larry the Git Cow gentoo-dev 2021-05-16 10:01:15 UTC
The bug has been referenced in the following commit(s):

commit b7c7bf9cf98bc2f32234865faf2c352c16362334
Author:     Andreas K. Hüttel <>
AuthorDate: 2021-05-16 10:00:08 +0000
Commit:     Andreas K. Hüttel <>
CommitDate: 2021-05-16 10:01:04 +0000

    package.mask: Extend binutils mask to <2.35.2
    Signed-off-by: Andreas K. Hüttel <>

 profiles/package.mask | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2021-05-16 10:01:57 UTC
All affected versions masked. No cleanup (toolchain).
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-06 00:48:16 UTC
GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:52:21 UTC
This issue was resolved and addressed in
 GLSA 202107-24 at
by GLSA coordinator John Helmert III (ajak).