[Secure-testing-team] Integer overflow in applications parsing ELF headers
Micah Anderson
micah at debian.org
Wed May 11 15:29:00 UTC 2005
On Wed, 11 May 2005, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > Are there other applications inside Debian embedding BFD or parsing ELF
> > binaries with their own code?
Is there more detailed information about this? The gentoo page doesn't
have much.
Additionally, the bug seems to say that the bdf binaries are affected,
but not everything that links with bfd.
> Here's everything that build depends on binutils-dev:
>
> crash
crash uses libbfd (as listed), but it uses it via gdb, and gdb
provides it's own bdf, so as long as gdb is fixed, crash is fine.
However crash provides its own gdb, so is directly affected. I've
spoken with the upstream authors about this and they are working on
understanding the problem and if it affects crash. Hold off on
submitting a bug on this while I sort this out - I'll file a bug if it
is affected.
> lcrash
I've spoken to the upstream author about this, lcrash only uses libbdf
for some disassembly work, so it seems pretty outside case scenario,
but again they are investigating the relative vulnerability and I will
file a bug on this if it is deemed vulnerable.
> "Note that building Debian packages which depend on the shared libbfd is
> Not Allowed." *sigh*!
I see this in the binutils-dev package description, however I dont see
it anywhere else, not in the policy, not in lintian/linda checks, not
on any mailing lists.... I see a couple of people on debian-devel
asking what the deal is with this, but no informative responses. Does
anyone know *why* this is and why this isn't documented somewhere more
visible?
micah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050511/12894f19/attachment.pgp
More information about the Secure-testing-team
mailing list