[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-6131 binutils, gdb, valgrind etc.


I have also started to look into CVE-2016-6131. I agree with Markus that this is not a security issue.
Well it is a issue for the availability of the tool itself, that is that if you stuble on it the tool may crash. So in a sense it is a low impact on availability. However I hardly think we should consider availability impact on build tools.
RedHat seem to have come to the same conclusion:

Due to this I have marked this as no-dsa (excelt for binutils where I let Brian judge that as he is working on it). If you disagree please complain and/or reverse what I did.

This means that I have also removed the following packages from dla-needed.txt.
- gdb
- gcc-h8300-hms
- ht
- binutils-h8300-hms
- valgrind

I did not remove binutils from dla-needed.txt as Brian had claimed that and it was discussed above that it may be good to have safe fixes even though they are not strictly needed.

Best regards

// Ola

On Thu, Jul 14, 2016 at 9:19 AM, Brian May <bam@debian.org> wrote:
I have CCed the package maintainer, the two people in the Uploaders
header, and the person who made the last security update of binutils.

I have a LTS update of binutils for wheezy, that fixes most of the
pending minor security issues. All except CVE-2016-4491 to be
precise. Attached is a copy of the patch from the current version, below
is a URL to a version available for testing.


I have not found any regressions in my testing of this package.

If there are no objections I plan to upload this next Monday (18th).
Brian May <bam@debian.org>

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: