Re: squeeze update of dwarfutils?
Hi Troy,
On Tue, Dec 15, 2015 at 12:18:28PM -0700, Troy Heber wrote:
> On 12/11/15 11:21, Guido Günther wrote:
>
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of dwarfutils:
> > https://security-tracker.debian.org/tracker/CVE-2015-8538
> >
> > Would you like to take care of this yourself?
>
> According to the RHEL bug[1] for CVE-2015-8538 :
>
> "There is a out of bound read in latest release version
> dwarf-20151114, and we have tested the other version dwarf-20140805,
> so we guess the versions which are between these two version will be
> affected too."
>
> I just tested the version in squeeze (20100214-1) and it is indeed not
> affected by this CVE, and does not segfault with the provided test case.
It doesn't segfault but I added this note to dla-needed (so I remember
why I think it's affected):
dwarfutils
NOTE: exploit does not crash dwarfutils but _dwarf_get_abbrev_for_code lacks the check
I do think it would be good to add the check to guard against other
broken binaries or did I misread the code?
Cheers,
-- Guido
Reply to: