Re: CVE-2016-6131 binutils, gdb, valgrind etc.

To: Brian May <bam@debian.org>, Markus Koschany <apo@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>, Matthias Klose <doko@debian.org>, James Troup <james@nocrew.org>, Daniel Jacobowitz <dan@debian.org>, Luciano Bello <luciano@debian.org>
Subject: Re: CVE-2016-6131 binutils, gdb, valgrind etc.
From: Ola Lundqvist <ola@inguza.com>
Date: Sun, 17 Jul 2016 23:29:26 +0200
Message-id: <[🔎] CABY6=0nMnuL8cBddRFBmq42Vq7QM=s25-00hotkQxCAffd_Jjw@mail.gmail.com>
In-reply-to: <[🔎] 87mvlkr8ja.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 9f5539d9-6905-9533-c8c1-ffcf6928b4c7@debian.org> <[🔎] 874m83usgp.fsf@prune.linuxpenguins.xyz> <[🔎] 0e1e7e69-2bd2-8bb0-193d-612e7dd01f77@debian.org> <[🔎] 20160706162258.GE13768@layer-acht.org> <[🔎] CAK0Odpy0dyZVVZV5xqQ4qKu0whzKgPrnasQCBLi-iRHjCEehhQ@mail.gmail.com> <[🔎] 87twg1uda8.fsf@prune.linuxpenguins.xyz> <[🔎] 87mvlkr8ja.fsf@prune.linuxpenguins.xyz>

I have also started to look into CVE-2016-6131. I agree with Markus that this is not a security issue.

Well it is a issue for the availability of the tool itself, that is that if you stuble on it the tool may crash. So in a sense it is a low impact on availability. However I hardly think we should consider availability impact on build tools.

RedHat seem to have come to the same conclusion:

https://access.redhat.com/security/cve/cve-2016-6131

Due to this I have marked this as no-dsa (excelt for binutils where I let Brian judge that as he is working on it). If you disagree please complain and/or reverse what I did.

This means that I have also removed the following packages from dla-needed.txt.

- gdb

- gcc-h8300-hms

- ht

- binutils-h8300-hms

- valgrind

I did not remove binutils from dla-needed.txt as Brian had claimed that and it was discussed above that it may be good to have safe fixes even though they are not strictly needed.

Best regards

// Ola

On Thu, Jul 14, 2016 at 9:19 AM, Brian May <bam@debian.org> wrote:

I have CCed the package maintainer, the two people in the Uploaders
header, and the person who made the last security update of binutils.

I have a LTS update of binutils for wheezy, that fixes most of the
pending minor security issues. All except CVE-2016-4491 to be
precise. Attached is a copy of the patch from the current version, below
is a URL to a version available for testing.

https://people.debian.org/~bam/debian/pool/main/b/binutils/

I have not found any regressions in my testing of this package.

If there are no objections I plan to upload this next Monday (18th).
--
Brian May <bam@debian.org>

--- Inguza Technology AB --- MSc in Information Technology ----

/ ola@inguza.com Folkebogatan 26 \

| opal@debian.org 654 68 KARLSTAD |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

---------------------------------------------------------------

Reply to:

References:
- CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Markus Koschany <apo@debian.org>
- Re: CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Brian May <bam@debian.org>
- Re: CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Markus Koschany <apo@debian.org>
- Re: CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Holger Levsen <holger@layer-acht.org>
- Re: CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Brian May <bam@debian.org>
- Re: CVE-2016-6131 binutils, gdb, valgrind etc.
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Wheezy update of gdk-pixbuf?
Next by Date: CVE-2016-6232 / kdelibs4
Previous by thread: Re: CVE-2016-6131 binutils, gdb, valgrind etc.
Next by thread: Re: CVE-2016-6131 binutils, gdb, valgrind etc.
Index(es):
- Date
- Thread