[security-announce] binutils: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Feb 3 14:38:33 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	      Enea Linux Security Advisory

=========================================================
Product/package: binutils
Severity: Moderate
Issue date: 2015-02-03
CVE Names: CVE-2014-8484, CVE-2014-8485, CVE-2014-8501,
           CVE-2014-8502, CVE-2014-8503, CVE-2014-8504,
           CVE-2014-8737
Layer: meta
=========================================================
A security patch that fixes multiple CVEs in binutils is now available
at http://linux.enea.com/4.0/patches:

README file: 0028-binutils-several-security-fixes.README
Patch file: 0028-binutils-several-security-fixes.patch

This patch fixes following CVEs in binutils
============================================
CVE-2014-8484: invalid read flaw in libbfd
CVE-2014-8485: lack of range checking leading to controlled write in
_bfd_elf_setup_sections()
CVE-2014-8501: out-of-bounds write when parsing specially crafted PE
executable
CVE-2014-8502: heap overflow in objdump when parsing a crafted ELF/PE
binary file (incomplete fix for CVE-2014-8485)
CVE-2014-8503: stack overflow in objdump when parsing specially
crafted ihex file
CVE-2014-8504: stack overflow in the SREC parser
CVE-2014-8737: directory traversal vulnerability

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737

How to apply the patches
=======================
We recommend you to apply all existing relevant patches for your
release available at http://linux.enea.com/4.0/patches.

- - Preparation
Make sure that you have an installation of Enea Linux and have
applied existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
cd Enea-Linux-4.0/poky
wget
http://linux.enea.com/4.0/patches/0028-binutils-several-security-fixes.patch
patch -p1 < ./0028-binutils-several-security-fixes.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU0M9ZAAoJEHc+9u9ocWoUg4YQAK+pppIbXaYPlGXNrAIARvaZ
MRsso7Cwh7yDs7lMBCDW2q9INHOxgrykk4hA7CteUAcklMQHTQuqq0ax0Rmo9Gxy
pbxsvFiVFciBbdPGGLbXjgtof5jzsB0W5t2BUCPOI/vXAdAtPeLtobYIDL8sO7g5
O0TXqhoO4O3SaaFCBJ3cTVqGEEPO9W0KOlZAhHAK5PAYZC7KEXa+4GwQovt76W+Y
pYEyo6sZUb8EZPlrE4zkckJpJ57ue9JH8qOQdxMGIE3IrszQ5kbSLTC2measVHQB
EP8Dz+7D6bL5Mn5CEQ0CCF7uDzKaJDsspJZ/DbrtYwVA91uCRNGf2ik8O+0Gx6OB
iSILoesEVYf6IfmJFX068qfFs0Hq5kQzdZCz+fnavbKDvEv0mvrjmnEAtu2fYFos
nGRaN5FdykYZ8nxOg0VV4IpAVT0dV3Cw/0L6IHBe4vrLgoDDTitzENeXw1D8DoZr
F/yy5fRde6y3tM3zKbksNfnUv+hLHjAhO5t0ve8Vuj6V8LnVLOR5Gtqze/PJqrD8
NIzJZZFfVB7KYCgbV23BhJOeoj8DsdFLJBOOULwUCDe1HVFpOVZTcF9DPkgA4Z3j
QFeklSCA81BxAoN3hzdX9PvfC0o9nIc4YFcnVGLHTsmyJtmQvEZDub02XzoAVOYC
PW2yo3ZcsdF42xosaeK2
=FBDi
-----END PGP SIGNATURE-----



More information about the security-announce mailing list