Re: Why no security support for binutils? What to do about it?

To: debian-security@lists.debian.org
Subject: Re: Why no security support for binutils? What to do about it?
From: Paul Wise <pabs@debian.org>
Date: Wed, 1 Jan 2020 02:14:23 +0000
Message-id: <[🔎] CAKTje6FZr67Wf-J5EKBwBh2egnKhqHXpQtZPkyAbG4z+6ev+dA@mail.gmail.com>
In-reply-to: <87lfqsomtg.fsf@mid.deneb.enyo.de>
References: <87h81h8dg2.fsf@hfph.mwn.de> <87lfqsomtg.fsf@mid.deneb.enyo.de>

On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote:

> BFD and binutils have not been designed to process untrusted data.
> Usually, this does not matter at all.  For example, no security
> boundary is crossed when linking object files that have been just been
> compiled.

There are definitely situations where vulnerabilities in binutils
(mostly objdump) are important and a security boundary could be
crossed, for example; running lintian on ftp-master, malware reverse
engineering and inspection of binaries for hardening features.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Why no security support for binutils? What to do about it?
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: Why no security support for binutils? What to do about it?
  - From: Florian Weimer <fw@deneb.enyo.de>

Next by Date: Re: Why no security support for binutils? What to do about it?
Next by thread: Re: Why no security support for binutils? What to do about it?
Index(es):
- Date
- Thread