Hi, On Wed, Dec 16, 2015 at 02:58:08PM -0700, Troy Heber wrote: > On 12/16/15 18:44, Guido Günther wrote: > > > > It doesn't segfault but I added this note to dla-needed (so I remember > > why I think it's affected): > > > > dwarfutils > > NOTE: exploit does not crash dwarfutils but _dwarf_get_abbrev_for_code > > lacks the check > > > > I do think it would be good to add the check to guard against other > > broken binaries or did I misread the code? > > Hi Guido, > > First, from a policy perspective, I would argue that since there is no > security issue it does not make sense to provide an extremely minor > fix to an LTS package. Especially in this situation, because the > problem is only with corrupted input files. > > However, that argument doesn't matter because in this case the > dwarfdump binary is not the C version of dwarfdump but rather the C++ > version dwarfdump2. Back then dwarfdump2 was set to become the > replacement for the original dwarfdump that was written in C. > Recently, upstream decided to abandon the move to the C++ version and > instead went back to the C version.
I missed that we're using dwarfdump2 in squeeze. Then it all makes sense. Thanks! -- Guido
