Hi Troy, On Tue, Dec 15, 2015 at 12:18:28PM -0700, Troy Heber wrote: > On 12/11/15 11:21, Guido Günther wrote: > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Squeeze version of dwarfutils: > > https://security-tracker.debian.org/tracker/CVE-2015-8538 > > > > Would you like to take care of this yourself? > > According to the RHEL bug[1] for CVE-2015-8538 : > > "There is a out of bound read in latest release version > dwarf-20151114, and we have tested the other version dwarf-20140805, > so we guess the versions which are between these two version will be > affected too." > > I just tested the version in squeeze (20100214-1) and it is indeed not > affected by this CVE, and does not segfault with the provided test case.
It doesn't segfault but I added this note to dla-needed (so I remember why I think it's affected): dwarfutils NOTE: exploit does not crash dwarfutils but _dwarf_get_abbrev_for_code lacks the check I do think it would be good to add the check to guard against other broken binaries or did I misread the code? Cheers, -- Guido
