Hi
I have also started to look into CVE-2016-6131. I agree with Markus that this is not a security issue.
Well it is a issue for the availability of the tool itself, that is that if you stuble on it the tool may crash. So in a sense it is a low impact on availability. However I hardly think we should consider availability impact on build tools.
RedHat seem to have come to the same conclusion:
Due to this I have marked this as no-dsa (excelt for binutils where I let Brian judge that as he is working on it). If you disagree please complain and/or reverse what I did.
This means that I have also removed the following packages from dla-needed.txt.
- gdb
- gcc-h8300-hms
- ht
- binutils-h8300-hms
- valgrind
I did not remove binutils from dla-needed.txt as Brian had claimed that and it was discussed above that it may be good to have safe fixes even though they are not strictly needed.
Best regards
// Ola