Debian Bug report logs -
#858323
binutils: CVE-2017-7209
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>:
Bug#858323; Package src:binutils.
(Tue, 21 Mar 2017 09:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>.
(Tue, 21 Mar 2017 09:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: binutils
Version: 2.28-2
Severity: important
Tags: upstream security patch
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=21135
Hi,
the following vulnerability was published for binutils.
CVE-2017-7209[0]:
| The dump_section_as_bytes function in readelf in GNU Binutils 2.28
| accesses a NULL pointer while reading section contents in a corrupt
| binary, leading to a program crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 27 Mar 2017 17:39:02 GMT) (full text, mbox, link).
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Wed, 05 Apr 2017 16:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Apr 2017 16:21:15 GMT) (full text, mbox, link).
Message #12 received at 858323-close@bugs.debian.org (full text, mbox, reply):
Source: binutils
Source-Version: 2.28-3
We believe that the bug you reported is fixed in the latest version of
binutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858323@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated binutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Apr 2017 17:48:03 +0200
Source: binutils
Binary: binutils binutils-dev binutils-multiarch binutils-multiarch-dev binutils-hppa64-linux-gnu binutils-doc binutils-source binutils-s390x-linux-gnu binutils-powerpc64le-linux-gnu binutils-powerpc-linux-gnu binutils-aarch64-linux-gnu binutils-arm-linux-gnueabihf binutils-arm-linux-gnueabi binutils-mips-linux-gnu binutils-mipsel-linux-gnu binutils-alpha-linux-gnu binutils-hppa-linux-gnu binutils-m68k-linux-gnu binutils-mips64-linux-gnuabi64 binutils-mips64el-linux-gnuabi64 binutils-powerpc-linux-gnuspe binutils-powerpc64-linux-gnu binutils-sh4-linux-gnu binutils-sparc64-linux-gnu binutils-mips64-linux-gnuabin32 binutils-mips64el-linux-gnuabin32
Architecture: source
Version: 2.28-3
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
binutils - GNU assembler, linker and binary utilities
binutils-aarch64-linux-gnu - GNU binary utilities, for aarch64-linux-gnu target
binutils-alpha-linux-gnu - GNU binary utilities, for alpha-linux-gnu target
binutils-arm-linux-gnueabi - GNU binary utilities, for arm-linux-gnueabi target
binutils-arm-linux-gnueabihf - GNU binary utilities, for arm-linux-gnueabihf target
binutils-dev - GNU binary utilities (BFD development files)
binutils-doc - Documentation for the GNU assembler, linker and binary utilities
binutils-hppa-linux-gnu - GNU binary utilities, for hppa-linux-gnu target
binutils-hppa64-linux-gnu - GNU assembler, linker and binary utilities targeted for hppa64-li
binutils-m68k-linux-gnu - GNU binary utilities, for m68k-linux-gnu target
binutils-mips-linux-gnu - GNU binary utilities, for mips-linux-gnu target
binutils-mips64-linux-gnuabi64 - GNU binary utilities, for mips64-linux-gnuabi64 target
binutils-mips64-linux-gnuabin32 - GNU binary utilities, for mips64-linux-gnuabin32 target
binutils-mips64el-linux-gnuabi64 - GNU binary utilities, for mips64el-linux-gnuabi64 target
binutils-mips64el-linux-gnuabin32 - GNU binary utilities, for mips64el-linux-gnuabin32 target
binutils-mipsel-linux-gnu - GNU binary utilities, for mipsel-linux-gnu target
binutils-multiarch - Binary utilities that support multi-arch targets
binutils-multiarch-dev - GNU binary utilities that support multi-arch targets (BFD develop
binutils-powerpc-linux-gnu - GNU binary utilities, for powerpc-linux-gnu target
binutils-powerpc-linux-gnuspe - GNU binary utilities, for powerpc-linux-gnuspe target
binutils-powerpc64-linux-gnu - GNU binary utilities, for powerpc64-linux-gnu target
binutils-powerpc64le-linux-gnu - GNU binary utilities, for powerpc64le-linux-gnu target
binutils-s390x-linux-gnu - GNU binary utilities, for s390x-linux-gnu target
binutils-sh4-linux-gnu - GNU binary utilities, for sh4-linux-gnu target
binutils-source - GNU assembler, linker and binary utilities (source)
binutils-sparc64-linux-gnu - GNU binary utilities, for sparc64-linux-gnu target
Closes: 857017 858256 858263 858264 858323 858324 859503
Changes:
binutils (2.28-3) unstable; urgency=medium
.
* Update, taken from the 2.28 branch 20170405.
- RISC-V updates.
- Fix PR binutils/21303 (PPC), objdump doesn't show e200z4 insns.
- S/390: Remove vx2 facility flag.
- Update -maltivec and -mvsx options to only enable their oldest
instructions (PPC).
- Add support for the new 'lnia' extended mnemonic (PPC).
- Fix ld uninitialized read of script ASSERT data structure.
* Fix incorrect library search order on PowerPC, taken from the trunk.
* Fix PR ld/21233 (MIPS only), taken from the trunk. Closes: #857017.
* Fix a french translation. Closes: #859503.
* Fix PR binutils/21157, handling of corrupt STABS enum type strings.
Closes: #858324. CVE-2017-7210.
* Fix PR binutils/21137, readelf writing to illegal addresses.
Closes: #858264. CVE-2017-6965.
* Fix PR binutils/21156, illegal memory accesses in readelf.
Closes: #858256. CVE-2017-6969.
* Fix PR binutils/21139, read-after-free error in readelf.
Closes: #858263. CVE-2017-6966.
* Fix PR binutils/21135, invalid read of section contents.
Closes: #858323. CVE-2017-7209.
* Fix PR demangler/70909, libiberty Demangler segfaults. CVE-2016-4491.
Checksums-Sha1:
7efe950699d03b49eda3939742cae429b76df0b8 4374 binutils_2.28-3.dsc
6205e40272a07936dc6fb619c8a2a902abb96948 220910 binutils_2.28-3.diff.gz
611efc013e995e0eb9f4deb5863e0ad989dfc52b 6320 binutils_2.28-3_source.buildinfo
Checksums-Sha256:
bbc1f2473bd4e38819f83b846d9a707abdfd04583a2d5033b6e23bc244c1efe2 4374 binutils_2.28-3.dsc
c2b39e4cc0b71539708a8b666f7ca996fec8ea4b76f8207a1590f8c557386b9d 220910 binutils_2.28-3.diff.gz
2a11b10c55454c441ecdcbc3181483f39211d05ed6d6cf74d272e21e430be131 6320 binutils_2.28-3_source.buildinfo
Files:
8cf58331a647cb74c69c2d35e26d6418 4374 devel optional binutils_2.28-3.dsc
d657891357665cac58dd9e04ad083b80 220910 devel optional binutils_2.28-3.diff.gz
b8ef4adbb4be3aebad3885081931fd70 6320 devel optional binutils_2.28-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAljlFQYQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9TYNEACQLhoyiAyzPUvj2iQkOSVhPko9Z4CwLW0G
JPaQFaNrUUBGlNLr5tDE3WJmdUVnif/LT90/eL/rCJsyqSsb4t+SH6TQRAUPkbG9
jhaIohDURbIAweRGHJk37zBxGJ8Zegx/5IOILIdMtBazqo04qRh83HBUOOBGdZ+L
Z8kr/jEj9KKrjS/xHqP68dgTauOQI/RIhk1CmpyxOuQlgFC3xR1J5XO7V4vWgWO+
3MXzU5py6DPxHNpXRfnsz5Pk9kxDWg4Ux8r5FPz7FB6hCCUqPCdhgkB8jBejdfox
Uiej1gsQsLm8iFGPR0tJYy6vdwjYAKdQCPan6K+Ptjh6EgmrGnW+ervWuQFcbJZ2
uAi6o8gwmPps+wu0x5CVtkW/MgqBgmdch9ypjUzZbEl8n3HQVBQZL1hwKgPlqyew
SrfKDMw/oDh+rzPqE8q5pCxw6UZQeaRj38bN/6NFPfbOfC64uuUto/3VVvPW6Z7r
7UudtdrpGX5jlHa5O3srYOLCaTKgM2Y4guxXi+NT8EvArrOr7SMq85VJlkWnwLEL
CFeBv4anCowMhWx/Z1/n7gdiSvQ+7Id95YAfTwRu+3oMu4yxHSSwufgqKYfiU2iW
ge97tKF69uO/15rskmR0j/F2Q3vjikyhLiZt6NgGXGKxcsSKQ1GU5L8fxru8skkP
cNMvOi7wAw==
=uwy+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 Jun 2017 07:25:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:41:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon