There was found a buffer overflow vulnerability in binutils 2.6 and lower in ihex.c. Waiting for CVE assignment: http://seclists.org/oss-sec/2015/q3/265
Created attachment 1059121 [details] Upstream patch
Created attachment 1059123 [details] Reproducer
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1250141]
This bug is now fixed in: binutils-2.25.1-3.fc24 I am not sure if the problem is important enough to warrant backporting the patch to earlier versions of Fedora however.
I wouldn't think that ihex would be important enough to warrant backporting to earlier versions of fedora.
For RHEL5/6/7/Fedora, the stack-based buffer overflow is detected and mitigated by fortify source. Thus, the worst outcome should be a mere crash/application abort. It should not be possible to exploit this flaw to gain code execution. Statement: This issue affects the versions of binutils as shipped with Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this issue as having Low security impact. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
fedora-all/arm-none-eabi-binutils-cs=affected appears to be missing from the Whiteboard. This has been fixed in cross-binutils but not yet in the other *-binutils packages.