[ GLSA 200506-01 ] Binutils, elfutils: Buffer overflow

[GLSA]

Gentoo Linux Security Advisory

Title: Binutils, elfutils: Buffer overflow (GLSA 200506-01)
Severity: normal
Exploitable: remote
Date: June 01, 2005
Updated: May 22, 2006
Bug(s): #91398, #91817
ID: 200506-01

Synopsis


Various utilities from the GNU Binutils and elfutils packages are
vulnerable to a heap based buffer overflow, potentially resulting in the
execution of arbitrary code.


Background


The GNU Binutils are a collection of tools to create, modify and
analyse binary files. Many of the files use BFD, the Binary File
Descriptor library, to do low-level manipulation. Elfutils provides a
library and utilities to access, modify and analyse ELF objects.


Affected Packages

Package: dev-libs/elfutils
Vulnerable: < 0.108
Unaffected: >= 0.108
Architectures: All supported architectures

Package: sys-devel/binutils
Vulnerable: < 2.16-r1
Unaffected: >= 2.14.90.0.8-r3 < 2.14.90.0.9
Unaffected: >= 2.15.90.0.1.1-r5 < 2.15.90.0.1.2
Unaffected: >= 2.15.90.0.3-r5 < 2.15.90.0.4
Unaffected: >= 2.15.91.0.2-r2 < 2.15.91.0.3
Unaffected: >= 2.15.92.0.2-r10 < 2.15.92.0.3
Unaffected: >= 2.16-r1
Architectures: All supported architectures


Description


Tavis Ormandy and Ned Ludd of the Gentoo Linux Security Audit Team
discovered an integer overflow in the BFD library and elfutils,
resulting in a heap based buffer overflow.


Impact


Successful exploitation would require a user to access a specially
crafted binary file, resulting in the execution of arbitrary code.


Workaround


There is no known workaround at this time.


Resolution


All GNU Binutils users should upgrade to the latest version: