5:20 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug ID: 1162594
Summary: CVE-2014-8502 binutils: heap overflow in objdump
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: bgollahe(a)redhat.com, dan(a)danny.cz,
dhowells(a)redhat.com, erik-fedora(a)vanpienbroek.nl,
fedora-mingw(a)lists.fedoraproject.org,
jakub(a)redhat.com, kalevlember(a)gmail.com,
kanderso(a)redhat.com, ktietz(a)redhat.com,
law(a)redhat.com, lkocman(a)redhat.com, lkundrak(a)v3.sk,
mfranc(a)redhat.com, mhlavink(a)redhat.com,
nickc(a)redhat.com, ohudlick(a)redhat.com,
pfrankli(a)redhat.com, rjones(a)redhat.com,
rob(a)robspanton.com, seceng-idm-qe-list(a)redhat.com,
swhiteho(a)redhat.com, thibault.north(a)gmail.com,
tmlcoch(a)redhat.com, trond.danielsen(a)gmail.com
A heap overflow was reborted [1] when running objdump on a specially crafted PE
executable [2].
Upstream patches that address this are at [3] and [4].
[1]: https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c17
[2]: https://sourceware.org/bugzilla/attachment.cgi?id=7862
[3]:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a4b0ccc20ba30...
[4]:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=acafeb6056bec4...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=pnYCBTnBr5&a=cc_unsubscribe
5:20 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1156276
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=ZUS5bvFLmm&a=cc_unsubscribe
5:25 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1162598
Depends On| |1162599
Depends On| |1162600
Depends On| |1162601
Depends On| |1162602
Depends On| |1162603
Depends On| |1162604
Depends On| |1162605
Depends On| |1162606
--- Comment #1 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created mingw-binutils tracking bugs for this issue:
Affects: fedora-all [bug 1162602]
Affects: epel-all [bug 1162606]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1162598
[Bug 1162598] CVE-2014-8502 arm-none-eabi-binutils-cs: binutils: heap
overflow in objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162599
[Bug 1162599] CVE-2014-8502 avr-binutils: binutils: heap overflow in
objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162600
[Bug 1162600] CVE-2014-8502 binutils: heap overflow in objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162601
[Bug 1162601] CVE-2014-8502 cross-binutils: binutils: heap overflow in
objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162602
[Bug 1162602] CVE-2014-8502 mingw-binutils: binutils: heap overflow in
objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162603
[Bug 1162603] CVE-2014-8502 msp430-binutils: binutils: heap overflow in
objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162604
[Bug 1162604] CVE-2014-8502 avr-binutils: binutils: heap overflow in
objdump [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162605
[Bug 1162605] CVE-2014-8502 cross-binutils: binutils: heap overflow in
objdump [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162606
[Bug 1162606] CVE-2014-8502 mingw-binutils: binutils: heap overflow in
objdump [epel-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=zAa8Axdodv&a=cc_unsubscribe
5:25 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #2 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created avr-binutils tracking bugs for this issue:
Affects: fedora-all [bug 1162599]
Affects: epel-all [bug 1162604]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=8hdd2SyNiW&a=cc_unsubscribe
5:25 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #3 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created arm-none-eabi-binutils-cs tracking bugs for this issue:
Affects: fedora-all [bug 1162598]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=HgeBPNr62V&a=cc_unsubscribe
5:25 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #4 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created msp430-binutils tracking bugs for this issue:
Affects: fedora-all [bug 1162603]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=cp06eEGnDB&a=cc_unsubscribe
5:25 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #5 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created cross-binutils tracking bugs for this issue:
Affects: fedora-all [bug 1162601]
Affects: epel-all [bug 1162605]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=kC7br14hDB&a=cc_unsubscribe
5:25 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #6 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created binutils tracking bugs for this issue:
Affects: fedora-all [bug 1162600]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=xYWP5nDoIH&a=cc_unsubscribe
8:50 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CVE-2014-8502 binutils: |CVE-2014-8502 binutils:
|heap overflow in objdump |heap overflow in objdump
| |when parsing a crafted
| |ELF/PE binary file
| |(incomplete fix for
| |CVE-2014-8485)
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=zOGmxxwhRP&a=cc_unsubscribe
8:52 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-sec,cvss2=1.2/AV:L/AC:H/A |s-sec,cvss2=1.2/AV:L/AC:H/A
|u:N/C:P/I:N/A:N,cwe=CWE-122 |u:N/C:P/I:N/A:N,cwe=CWE-122
|,dts-2.1/devtoolset-2-binut |,dts-2.1/devtoolset-2-binut
|ils=new,dts-3.0/devtoolset- |ils=affected,dts-3.0/devtoo
|3-binutils=new,fedora-all/a |lset-3-binutils=affected,fe
|rm-none-eabi-binutils-cs=af |dora-all/arm-none-eabi-binu
|fected,fedora-all/avr-binut |tils-cs=affected,fedora-all
|ils=affected,fedora-all/bin |/avr-binutils=affected,fedo
|utils=affected,fedora-all/c |ra-all/binutils=affected,fe
|ross-binutils=affected,fedo |dora-all/cross-binutils=aff
|ra-all/mingw-binutils=affec |ected,fedora-all/mingw-binu
|ted,fedora-all/msp430-binut |tils=affected,fedora-all/ms
|ils=affected,rhel-4/binutil |p430-binutils=affected,rhel
|s=new,rhel-5/binutils=new,r |-5/binutils=wontfix,rhel-5/
|hel-5/binutils220=new,rhel- |binutils220=wontfix,rhel-6/
|6/binutils=new,rhel-6/mingw |binutils=affected,rhel-6/mi
|32-binutils=new,rhel-7/binu |ngw32-binutils=defer,rhel-7
|tils=new,epel-all/avr-binut |/binutils=affected,epel-all
|ils=affected,epel-all/cross |/avr-binutils=affected,epel
|-binutils=affected,epel-all |-all/cross-binutils=affecte
|/mingw-binutils=affected |d,epel-all/mingw-binutils=a
| |ffected
--- Comment #9 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Statement:
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and
maintenance life cycle. This has been rated as having Low security impact and
is not currently planned to be addressed in future updates. For additional
information, refer to the Red Hat Enterprise Linux Life Cycle:
https://access.redhat.com/support/policy/updates/errata/.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=5VqqvlM3WJ&a=cc_unsubscribe
9:13 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Fixed In Version| |binutils 2.25
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=6s2BIL2dLd&a=cc_unsubscribe
9:53 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1168281
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=na9m4KMMam&a=cc_unsubscribe
9:53 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1168302
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=hEoVYVYDhm&a=cc_unsubscribe
3:13 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-sec,cvss2=1.2/AV:L/AC:H/A |s-sec,cvss2=1.2/AV:L/AC:H/A
|u:N/C:P/I:N/A:N,cwe=CWE-122 |u:N/C:P/I:N/A:N,cwe=CWE-122
|,dts-2.1/devtoolset-2-binut |,dts-2.1/devtoolset-2-binut
|ils=affected,dts-3.0/devtoo |ils=affected,dts-3.0/devtoo
|lset-3-binutils=affected,fe |lset-3-binutils=affected,fe
|dora-all/arm-none-eabi-binu |dora-all/arm-none-eabi-binu
|tils-cs=affected,fedora-all |tils-cs=affected,fedora-all
|/avr-binutils=affected,fedo |/avr-binutils=affected,fedo
|ra-all/binutils=affected,fe |ra-all/binutils=affected,fe
|dora-all/cross-binutils=aff |dora-all/cross-binutils=aff
|ected,fedora-all/mingw-binu |ected,fedora-all/mingw-binu
|tils=affected,fedora-all/ms |tils=affected,fedora-all/ms
|p430-binutils=affected,rhel |p430-binutils=affected,rhel
|-5/binutils=wontfix,rhel-5/ |-5/binutils=wontfix,rhel-5/
|binutils220=wontfix,rhel-6/ |binutils220=wontfix,rhel-6/
|binutils=affected,rhel-6/mi |binutils=affected,rhel-6/mi
|ngw32-binutils=defer,rhel-7 |ngw32-binutils=wontfix,rhel
|/binutils=affected,epel-all |-7/binutils=affected,epel-a
|/avr-binutils=affected,epel |ll/avr-binutils=affected,ep
|-all/cross-binutils=affecte |el-all/cross-binutils=affec
|d,epel-all/mingw-binutils=a |ted,epel-all/mingw-binutils
|ffected |=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=5JSohtt5pY&a=cc_unsubscribe
8:38 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-sec,cvss2=1.2/AV:L/AC:H/A |s-sec,cvss2=1.2/AV:L/AC:H/A
|u:N/C:P/I:N/A:N,cwe=CWE-122 |u:N/C:P/I:N/A:N,cwe=CWE-122
|,dts-2.1/devtoolset-2-binut |,dts-2.1/devtoolset-2-binut
|ils=affected,dts-3.0/devtoo |ils=affected,dts-3.0/devtoo
|lset-3-binutils=affected,fe |lset-3-binutils=affected,fe
|dora-all/arm-none-eabi-binu |dora-all/arm-none-eabi-binu
|tils-cs=affected,fedora-all |tils-cs=affected,fedora-all
|/avr-binutils=affected,fedo |/avr-binutils=affected,fedo
|ra-all/binutils=affected,fe |ra-all/binutils=affected,fe
|dora-all/cross-binutils=aff |dora-all/cross-binutils=aff
|ected,fedora-all/mingw-binu |ected,fedora-all/mingw-binu
|tils=affected,fedora-all/ms |tils=affected,fedora-all/ms
|p430-binutils=affected,rhel |p430-binutils=affected,rhel
|-5/binutils=wontfix,rhel-5/ |-5/binutils=wontfix,rhel-5/
|binutils220=wontfix,rhel-6/ |binutils220=wontfix,rhel-6/
|binutils=affected,rhel-6/mi |binutils=affected,rhel-6/mi
|ngw32-binutils=wontfix,rhel |ngw32-binutils=wontfix,rhel
|-7/binutils=affected,epel-a |-7/binutils=defer,epel-all/
|ll/avr-binutils=affected,ep |avr-binutils=affected,epel-
|el-all/cross-binutils=affec |all/cross-binutils=affected
|ted,epel-all/mingw-binutils |,epel-all/mingw-binutils=af
|=affected |fected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=iHO9mTcvSm&a=cc_unsubscribe
8:36 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162598, which changed state.
Bug 1162598 Summary: CVE-2014-8502 arm-none-eabi-binutils-cs: binutils: heap overflow in
objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162598
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=uhzZAnHtvs&a=cc_unsubscribe
8:36 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #11 from Fedora Update System <updates(a)fedoraproject.org> ---
arm-none-eabi-binutils-cs-2014.05.28-3.fc20 has been pushed to the Fedora 20
stable repository. If problems still persist, please make note of it in this
bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=MTPJ0JSXmZ&a=cc_unsubscribe
8:39 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162599, which changed state.
Bug 1162599 Summary: CVE-2014-8502 avr-binutils: binutils: heap overflow in objdump
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162599
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=nHJAZvmyeN&a=cc_unsubscribe
8:40 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #12 from Fedora Update System <updates(a)fedoraproject.org> ---
avr-binutils-2.24-3.fc20 has been pushed to the Fedora 20 stable repository.
If problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=WnRkeIxEEs&a=cc_unsubscribe
4:04 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #13 from Fedora Update System <updates(a)fedoraproject.org> ---
avr-binutils-2.24-4.fc21 has been pushed to the Fedora 21 stable repository.
If problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=Npi30N7UQI&a=cc_unsubscribe
4:08 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #14 from Fedora Update System <updates(a)fedoraproject.org> ---
arm-none-eabi-binutils-cs-2014.05.28-3.fc21 has been pushed to the Fedora 21
stable repository. If problems still persist, please make note of it in this
bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=Wgelsuffiq&a=cc_unsubscribe
10:37 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #15 from Fedora Update System <updates(a)fedoraproject.org> ---
avr-binutils-2.24-3.fc19 has been pushed to the Fedora 19 stable repository.
If problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=yG2tklUYag&a=cc_unsubscribe
10:39 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #16 from Fedora Update System <updates(a)fedoraproject.org> ---
arm-none-eabi-binutils-cs-2014.05.28-3.fc19 has been pushed to the Fedora 19
stable repository. If problems still persist, please make note of it in this
bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=GmTNrscQ2B&a=cc_unsubscribe
9:28 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1172710
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=DC6oFyf6jI&a=cc_unsubscribe
11:05 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162602, which changed state.
Bug 1162602 Summary: CVE-2014-8502 mingw-binutils: binutils: heap overflow in objdump
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162602
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=npe07Coxpj&a=cc_unsubscribe
9 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162606, which changed state.
Bug 1162606 Summary: CVE-2014-8502 mingw-binutils: binutils: heap overflow in objdump
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162606
What |Removed |Added
----------------------------------------------------------------------------
Status|MODIFIED |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=VlT2r5qY9b&a=cc_unsubscribe
1:52 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162601, which changed state.
Bug 1162601 Summary: CVE-2014-8502 cross-binutils: binutils: heap overflow in objdump
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162601
What |Removed |Added
----------------------------------------------------------------------------
Status|MODIFIED |CLOSED
Resolution|--- |CURRENTRELEASE
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=T0PhUCwMmB&a=cc_unsubscribe
5:21 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-sec,cvss2=1.2/AV:L/AC:H/A |s-security,cvss2=1.2/AV:L/A
|u:N/C:P/I:N/A:N,cwe=CWE-122 |C:H/Au:N/C:P/I:N/A:N,cwe=CW
|,dts-2.1/devtoolset-2-binut |E-122,dts-2.1/devtoolset-2-
|ils=affected,dts-3.0/devtoo |binutils=affected,dts-3.0/d
|lset-3-binutils=affected,fe |evtoolset-3-binutils=affect
|dora-all/arm-none-eabi-binu |ed,fedora-all/arm-none-eabi
|tils-cs=affected,fedora-all |-binutils-cs=affected,fedor
|/avr-binutils=affected,fedo |a-all/avr-binutils=affected
|ra-all/binutils=affected,fe |,fedora-all/binutils=affect
|dora-all/cross-binutils=aff |ed,fedora-all/cross-binutil
|ected,fedora-all/mingw-binu |s=affected,fedora-all/mingw
|tils=affected,fedora-all/ms |-binutils=affected,fedora-a
|p430-binutils=affected,rhel |ll/msp430-binutils=affected
|-5/binutils=wontfix,rhel-5/ |,rhel-5/binutils=wontfix,rh
|binutils220=wontfix,rhel-6/ |el-5/binutils220=wontfix,rh
|binutils=affected,rhel-6/mi |el-6/binutils=affected,rhel
|ngw32-binutils=wontfix,rhel |-6/mingw32-binutils=wontfix
|-7/binutils=defer,epel-all/ |,rhel-7/binutils=defer,epel
|avr-binutils=affected,epel- |-all/avr-binutils=affected,
|all/cross-binutils=affected |epel-all/cross-binutils=aff
|,epel-all/mingw-binutils=af |ected,epel-all/mingw-binuti
|fected |ls=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=DYSn8FGQLV&a=cc_unsubscribe
6:11 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-security,cvss2=1.2/AV:L/A |s-security,cvss2=2.6/AV:L/A
|C:H/Au:N/C:P/I:N/A:N,cwe=CW |C:H/Au:N/C:P/I:N/A:P,cwe=CW
|E-122,dts-2.1/devtoolset-2- |E-122,dts-2.1/devtoolset-2-
|binutils=affected,dts-3.0/d |binutils=affected,dts-3.0/d
|evtoolset-3-binutils=affect |evtoolset-3-binutils=affect
|ed,fedora-all/arm-none-eabi |ed,fedora-all/arm-none-eabi
|-binutils-cs=affected,fedor |-binutils-cs=affected,fedor
|a-all/avr-binutils=affected |a-all/avr-binutils=affected
|,fedora-all/binutils=affect |,fedora-all/binutils=affect
|ed,fedora-all/cross-binutil |ed,fedora-all/cross-binutil
|s=affected,fedora-all/mingw |s=affected,fedora-all/mingw
|-binutils=affected,fedora-a |-binutils=affected,fedora-a
|ll/msp430-binutils=affected |ll/msp430-binutils=affected
|,rhel-5/binutils=wontfix,rh |,rhel-5/binutils=wontfix,rh
|el-5/binutils220=wontfix,rh |el-5/binutils220=wontfix,rh
|el-6/binutils=affected,rhel |el-6/binutils=affected,rhel
|-6/mingw32-binutils=wontfix |-6/mingw32-binutils=wontfix
|,rhel-7/binutils=defer,epel |,rhel-7/binutils=defer,epel
|-all/avr-binutils=affected, |-all/avr-binutils=affected,
|epel-all/cross-binutils=aff |epel-all/cross-binutils=aff
|ected,epel-all/mingw-binuti |ected,epel-all/mingw-binuti
|ls=affected |ls=affected
--- Doc Text *updated* ---
A heap-based buffer overflow flaw was found in the way objdump utility processed certain
files. If a user were tricked into running objdump on a specially crafted file, it could
cause objdump to crash or potentially execute arbitrary code with
the privileges of the user running an executable. The original fix for CVE-2014-8485 was
found to be incomplete.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=A1eP1O6tji&a=cc_unsubscribe
4:07 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Doc Text *updated* by Martin Prpic <mprpic(a)redhat.com> ---
It was found that the fix for the CVE-2014-8485 issue was incomplete: a heap-based buffer
overflow in the objdump utility could cause it to crash or, potentially, execute arbitrary
code with the privileges of the user running objdump when processing specially crafted
files.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=0TGaLLclgL&a=cc_unsubscribe
10:29 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #19 from Nick Clifton <nickc(a)redhat.com> ---
Created attachment 1043575
--> https://bugzilla.redhat.com/attachment.cgi?id=1043575&action=edit
Amalgamted patch to fix all of the bugs referenced by PR 1712#c17
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=jmdZBb6cBK&a=cc_unsubscribe
10:31 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #20 from Nick Clifton <nickc(a)redhat.com> ---
Created attachment 1043578
--> https://bugzilla.redhat.com/attachment.cgi?id=1043578&action=edit
Corrupt binary that (used to) crash objdump -x
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=gzSd0iLbz3&a=cc_unsubscribe
10:32 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #21 from Nick Clifton <nickc(a)redhat.com> ---
Created attachment 1043579
--> https://bugzilla.redhat.com/attachment.cgi?id=1043579&action=edit
Second corrupt binary that (used to ) crash objdump -x
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=jTNGRwHMfq&a=cc_unsubscribe
10:33 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #22 from Nick Clifton <nickc(a)redhat.com> ---
Created attachment 1043580
--> https://bugzilla.redhat.com/attachment.cgi?id=1043580&action=edit
Corrupt ELF binary that (used to) crash objdump -x
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=gsJ4pi4fvs&a=cc_unsubscribe
10:36 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #23 from Nick Clifton <nickc(a)redhat.com> ---
I have uploaded a patch to fix this BZ, plus the three corrupt binary files
(extracted from PR 17512) that used to trigger the bugs.
I am not sure what I should do next. Can someone please advise ?
Cheers
Nick
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=mItrc57LMr&a=cc_unsubscribe
10:45 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #24 from Jeff Law <law(a)redhat.com> ---
Nick, I'll walk you through the various process/procedural stuff Monday. Well,
I'll probably send you a howto over the weekend, which you can try Monday
morning and if there's questions, we can cover them in IRC Monday.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=O0QJ1wahXt&a=cc_unsubscribe
7:44 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Nick Clifton <nickc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |MODIFIED
Fixed In Version|binutils 2.25 |binutils-2.23.52.0.1-46.el7
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=NEnbZj2zUF&a=cc_unsubscribe
6:15 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162600, which changed state.
Bug 1162600 Summary: CVE-2014-8502 binutils: heap overflow in objdump [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162600
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |EOL
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=GHOnHSS3iE&a=cc_unsubscribe
6:15 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Bug 1162594 depends on bug 1162603, which changed state.
Bug 1162603 Summary: CVE-2014-8502 msp430-binutils: binutils: heap overflow in objdump
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1162603
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |EOL
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=CQPGLFh56W&a=cc_unsubscribe
5:53 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|MODIFIED |NEW
Fixed In Version|binutils-2.23.52.0.1-46.el7 |binutils 2.25
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=QW8D2pmWmL&a=cc_unsubscribe
6:06 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Miloš Prchlík <mprchlik(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mprchlik(a)redhat.com
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=7xMbJP4pTq&a=cc_unsubscribe
1:15 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Huzaifa S. Sidhpurwala <huzaifas(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1210268
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=gcDm4g5tm8&a=cc_unsubscribe
1:22 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Huzaifa S. Sidhpurwala <huzaifas(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-security,cvss2=2.6/AV:L/A |s-security,cvss2=2.6/AV:L/A
|C:H/Au:N/C:P/I:N/A:P,cwe=CW |C:H/Au:N/C:P/I:N/A:P,cwe=CW
|E-122,dts-2.1/devtoolset-2- |E-122,dts-2.1/devtoolset-2-
|binutils=affected,dts-3.0/d |binutils=affected,dts-3.0/d
|evtoolset-3-binutils=affect |evtoolset-3-binutils=affect
|ed,fedora-all/arm-none-eabi |ed,fedora-all/arm-none-eabi
|-binutils-cs=affected,fedor |-binutils-cs=affected,fedor
|a-all/avr-binutils=affected |a-all/avr-binutils=affected
|,fedora-all/binutils=affect |,fedora-all/binutils=affect
|ed,fedora-all/cross-binutil |ed,fedora-all/cross-binutil
|s=affected,fedora-all/mingw |s=affected,fedora-all/mingw
|-binutils=affected,fedora-a |-binutils=affected,fedora-a
|ll/msp430-binutils=affected |ll/msp430-binutils=affected
|,rhel-5/binutils=wontfix,rh |,rhel-5/binutils=wontfix,rh
|el-5/binutils220=wontfix,rh |el-5/binutils220=wontfix,rh
|el-6/binutils=affected,rhel |el-6/binutils=affected,rhel
|-6/mingw32-binutils=wontfix |-6/mingw32-binutils=wontfix
|,rhel-7/binutils=defer,epel |,rhel-7/binutils=affected,e
|-all/avr-binutils=affected, |pel-all/avr-binutils=affect
|epel-all/cross-binutils=aff |ed,epel-all/cross-binutils=
|ected,epel-all/mingw-binuti |affected,epel-all/mingw-bin
|ls=affected |utils=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=a9QyY4YoQr&a=cc_unsubscribe
8:50 a.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
Martin Prpic <mprpic(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=low,public=20141028, |impact=low,public=20141028,
|reported=20141111,source=os |reported=20141111,source=os
|s-security,cvss2=2.6/AV:L/A |s-security,cvss2=2.6/AV:L/A
|C:H/Au:N/C:P/I:N/A:P,cwe=CW |C:H/Au:N/C:P/I:N/A:P,cwe=CW
|E-122,dts-2.1/devtoolset-2- |E-122,dts-2.1/devtoolset-2-
|binutils=affected,dts-3.0/d |binutils=wontfix,dts-3.0/de
|evtoolset-3-binutils=affect |vtoolset-3-binutils=affecte
|ed,fedora-all/arm-none-eabi |d,fedora-all/arm-none-eabi-
|-binutils-cs=affected,fedor |binutils-cs=affected,fedora
|a-all/avr-binutils=affected |-all/avr-binutils=affected,
|,fedora-all/binutils=affect |fedora-all/binutils=affecte
|ed,fedora-all/cross-binutil |d,fedora-all/cross-binutils
|s=affected,fedora-all/mingw |=affected,fedora-all/mingw-
|-binutils=affected,fedora-a |binutils=affected,fedora-al
|ll/msp430-binutils=affected |l/msp430-binutils=affected,
|,rhel-5/binutils=wontfix,rh |rhel-5/binutils=wontfix,rhe
|el-5/binutils220=wontfix,rh |l-5/binutils220=wontfix,rhe
|el-6/binutils=affected,rhel |l-6/binutils=affected,rhel-
|-6/mingw32-binutils=wontfix |6/mingw32-binutils=wontfix,
|,rhel-7/binutils=affected,e |rhel-7/binutils=affected,ep
|pel-all/avr-binutils=affect |el-all/avr-binutils=affecte
|ed,epel-all/cross-binutils= |d,epel-all/cross-binutils=a
|affected,epel-all/mingw-bin |ffected,epel-all/mingw-binu
|utils=affected |tils=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=Sqjk2DjqOa&a=cc_unsubscribe
9:33 p.m.
New subject: [Bug 1162594] CVE-2014-8502 binutils: heap overflow in objdump when
parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
https://bugzilla.redhat.com/show_bug.cgi?id=1162594
--- Comment #25 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=2EOjj2erAz&a=cc_unsubscribe
3079
days inactive
3452
days old
44 comments
1 participants
participants (1)
-
Red Hat Bugzilla