[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of dwarfutils?

Hi,
On Wed, Dec 16, 2015 at 02:58:08PM -0700, Troy Heber wrote:
> On 12/16/15 18:44, Guido Günther wrote:
> > 
> > It doesn't segfault but I added this note to dla-needed (so I remember
> > why I think it's affected):
> > 
> > dwarfutils
> >   NOTE: exploit does not crash dwarfutils but _dwarf_get_abbrev_for_code lacks the check
> > 
> > I do think it would be good to add the check to guard against other
> > broken binaries or did I misread the code?
> 
> Hi Guido,
> 
> First, from a policy perspective, I would argue that since there is no
> security issue it does not make sense to provide an extremely minor
> fix to an LTS package. Especially in this situation,  because the
> problem is only with corrupted input files.
> 
> However, that argument doesn't matter because in this case the
> dwarfdump binary is not the C version of dwarfdump but rather the C++
> version dwarfdump2. Back then dwarfdump2 was set to become the
> replacement for the original dwarfdump  that was written in C.
> Recently, upstream decided to abandon the move to the C++ version and
> instead went back to the C version.

I missed that we're using dwarfdump2 in squeeze. Then it all makes
sense. Thanks!
 -- Guido
Reply to: