[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of dwarfutils?

Hi Troy,
On Tue, Dec 15, 2015 at 12:18:28PM -0700, Troy Heber wrote:
> On 12/11/15 11:21, Guido Günther wrote:
>  
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of dwarfutils:
> > https://security-tracker.debian.org/tracker/CVE-2015-8538
> > 
> > Would you like to take care of this yourself?
> 
> According to the RHEL bug[1] for CVE-2015-8538 :
> 
>   "There is a out of bound read in  latest release version
>   dwarf-20151114, and we have tested the other version dwarf-20140805,
>   so we guess the versions which are between these two version will be
>   affected too."
> 
> I just tested the version in squeeze (20100214-1) and it is indeed not
> affected by this CVE, and does not segfault with the provided test case.

It doesn't segfault but I added this note to dla-needed (so I remember
why I think it's affected):

dwarfutils
  NOTE: exploit does not crash dwarfutils but _dwarf_get_abbrev_for_code lacks the check

I do think it would be good to add the check to guard against other
broken binaries or did I misread the code?
Cheers,
 -- Guido
Reply to: