[security-announce] binutils: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Mar 10 13:21:01 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: binutils 2.24
Severity: Moderate
CVE Names: CVE-2014-8484, CVE-2014-8485, CVE-2014-8501,
           CVE-2014-8502, CVE-2014-8503, CVE-2014-8504,
           CVE-2014-8737
=========================================================
A security patch that fixes multiple CVEs in binutils is now available
at http://linux.enea.com/5.0-beta-m400/patches:

README file: 0006-binutils-several-security-fixes.README
Patch file: 0006-binutils-several-security-fixes.patch

Summary
===========
CVE-2014-8484: invalid read flaw in libbfd
CVE-2014-8485: lack of range checking leading to controlled write in
_bfd_elf_setup_sections()
CVE-2014-8501: out-of-bounds write when parsing specially crafted PE
executable
CVE-2014-8502: heap overflow in objdump when parsing a crafted ELF/PE
binary file (incomplete fix for CVE-2014-8485)
CVE-2014-8503: stack overflow in objdump when parsing specially crafted ihex
file
CVE-2014-8504: stack overflow in the SREC parser
CVE-2014-8737: directory traversal vulnerability

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737

How to apply the patches
=======================
We recommend you to apply all existing relevant patches for your
release available at http://linux.enea.com/4.0/patches.

- - Preparation
Make sure that you have an installation of Enea Linux and have
applied existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0006-binutils-several-security-fixes.patch
patch -p1 < ./0006-binutils-several-security-fixes.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU/uGtAAoJEHc+9u9ocWoURboP/0PNMOXwj8Mw6ahr23UZLDf5
UcTL/Rad4Q/sAji+SRgj9+eTdX+Ic+XUxaNPv/b8DnEDLgHAmWcTm+g8J+33Jkmq
BLC/b1ov7oO/AxYB+61a1oqrr6RyrHoN87bmKmLzX8B9QAS3A/ONYIAv+4876hLO
BMu6EJ49o3pDkbbma34mjGxuwkUMA7g4/Hw233r7+VQk8dh787czN3QmUWUMyEBJ
0xbuATaNlyHAZX6qog5xb40tFQGMRU5MCRtZKKJMbYrQam/O17b1mwHMX7/4Thua
8WAMvJYh+/AzAKezEKh3nxZb4NucrwWOgaAPbO1P10ByrFQnH4Kt7j8CGhBCWJEl
Gb1ZoBJ0YP6qMQQQ1eg36rwKBDXJF3xt6ypnTl+MsHwoJP42ZWF5eY5aXTbBgUvJ
Eh90tf499c+NNU/aBOWl9Vimu1Tf33p1wgfOhnYifd7/5Es0b4MDZYLGYovTYFcr
SyczPHg8bQp5eTQzwH/vZRqE0p7Bosp/rsdv7VCpCwuqzeB22UUCw60aK80LhLXa
EEe047/XyxJzWa7Kv90xfGlJTYImKqddAevcy2lgGAPcRVFiMUVUwurVk2eyTJDr
lk3SmZdXjO4aaQR5sI+YKGxzgt/ZEBPF/+QTXnhqdLo7AzckAIyPuF0MmN2jawTb
F9hJe3alXtqXHp28sMcx
=W36z
-----END PGP SIGNATURE-----



More information about the security-announce mailing list