Debian Bug report logs -
#368237
binutils: CVE-2006-2362: buffer overflow in libbfd
Reported by: Alec Berryman <alec@thened.net>
Date: Sat, 20 May 2006 19:18:04 UTC
Severity: grave
Tags: patch, security
Found in version binutils/2.16.1cvs20060413-1
Fixed in version 2.17-1
Done: Philippe Cloutier <philippe.cloutier.2@ulaval.ca>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>:
Bug#368237; Package binutils.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: binutils
Version: 2.16.1cvs20060413-1
Severity: normal
Tags: security patch
CVE-2006-2362: "Buffer overflow in getsym in tekhex.c in libbfd in Free
Software Foundation GNU Binutils before 20060423, as used by GNU
strings, allows context-dependent attackers to cause a denial of service
(application crash) and possibly execute arbitrary code via a file with
a crafted Tektronix Hex Format (TekHex) record in which the length
character is not a valid hexadecimal character."
This is bugzilla #2584 [1]. The entry contains a test case; I have
verified that it causes the described behavior with `strings` from
2.16.1cvs20060413-1. There is a proposed patch [2] but I have not yet
verified it.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://sourceware.org/bugzilla/show_bug.cgi?id=2584
[2] http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view
Severity set to `grave' from `normal'
Request was from Sam Hocevar (Debian packages) <sam+deb@zoy.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Philippe Cloutier <philippe.cloutier.2@ulaval.ca>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 368237-done@bugs.debian.org (full text, mbox, reply):
Version: 2.17-1
CVSS Severity: 7.0 (High)
Canonical rolled a 2.15-5ubuntu2.3 for this. Should a DSA be issued?
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 06:21:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:45:59 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon