Bug 1162666 (CVE-2014-8738)
| Summary: | CVE-2014-8738 binutils: out of bounds memory write | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | carnil, dan, dhowells, erik-fedora, fedora-mingw, jakub, jrusnack, kalevlember, kanderso, law, lkundrak, mhlavink, mnewsome, mprchlik, nickc, nobody+bgollahe, ohudlick, pfrankli, rjones, rob, slawomir, swhiteho, thibault.north, trond.danielsen | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | binutils-2.23.52.0.1-55.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
A heap-based buffer overflow flaw was found in the way certain binutils utilities processed archive files. If a user were tricked into processing a specially crafted archive file, it could cause the utility used to process that archive to crash or, potentially, execute arbitrary code with the privileges of the user running that utility.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-06-08 02:35:59 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1162669, 1162670, 1162671, 1162672, 1162673, 1162674, 1162675, 1162676, 1162678, 1168281, 1168302, 1172710 | ||||||
| Bug Blocks: | 1156276, 1210268 | ||||||
| Attachments: |
|
||||||
|
Description
Vasyl Kaigorodov
2014-11-11 12:52:56 UTC
Created mingw-binutils tracking bugs for this issue: Affects: fedora-all [bug 1162673] Affects: epel-all [bug 1162678] Created avr-binutils tracking bugs for this issue: Affects: fedora-all [bug 1162670] Affects: epel-all [bug 1162675] Created arm-none-eabi-binutils-cs tracking bugs for this issue: Affects: fedora-all [bug 1162669] Created msp430-binutils tracking bugs for this issue: Affects: fedora-all [bug 1162674] Created cross-binutils tracking bugs for this issue: Affects: fedora-all [bug 1162672] Affects: epel-all [bug 1162676] Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1162671] Created attachment 957153 [details]
Imported for for PR 17533
Fixed in: binutils-2.24-29.fc22 I have applied a patch (uploaded to this BZ) to the rawhide binutils. It is derived from the patches created for PR 17533, adapted to work with the rawhide sources. Ideally the patch will soon be redundant, as rawhide should be switching over to the 2.25 binutils release, once that actually happens. 2.25 already contains this patch. Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. arm-none-eabi-binutils-cs-2014.05.28-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. avr-binutils-2.24-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. avr-binutils-2.24-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. arm-none-eabi-binutils-cs-2014.05.28-3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. avr-binutils-2.24-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. arm-none-eabi-binutils-cs-2014.05.28-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. binutils-2.24-30.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Reproducer is available in https://sourceware.org/bugzilla/show_bug.cgi?id=17533#c0 cross-binutils-2.23.88.0.1-2.el7.1 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. cross-binutils-2.23.51.0.3-1.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. I have checked in an updated patch for this issue. The previous version of the patch was missing a delta, which effectively made it useless. The new version is available in: binutils-2.23.52.0.1-55.el7 oops - I should not have changed this BZ, sorry... This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html |