Brian May <b...@debian.org> writes: > I have a build of binutils for all pending CVEs except CVE-2016-4491,
I had another look at CVE-2016-4491. Looks like the following patch from upstream git is a prerequisite. Unfortunately this patch does not apply cleanly either. So I found a potential prerequisite for this patch, it doesn't apply cleanly either. If I continue down this track much further, I might as well just use the latest upstream version. Upstream source: https://www.gnu.org/software/binutils/ git clone git://sourceware.org/git/binutils-gdb.git As this CVE is considered to be a minor issue (stack overflow due to potential infinite recursion) I am inclined to think patching this CVE is not worth it. commit 9548bbede51868a9a780d7d21ae16ac13e8bdf9b Author: gary <gary@138bc75d-0d04-0410-961f-82ee72b054a4> Date: Fri Oct 25 13:56:51 2013 +0000 libiberty/ 2013-10-25 Gary Benson <gben...@redhat.com> * cp-demangle.c (struct d_saved_scope): New structure. (struct d_print_info): New fields saved_scopes and num_saved_scopes. (d_print_init): Initialize the above. (d_print_free): New function. (cplus_demangle_print_callback): Call the above. (d_copy_templates): New function. (d_print_comp): New variables saved_templates and need_template_restore. [DEMANGLE_COMPONENT_REFERENCE, DEMANGLE_COMPONENT_RVALUE_REFERENCE]: Capture scope the first time the component is traversed, and use the captured scope for subsequent traversals. * testsuite/demangle-expected: Add regression test. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@204068 138bc75d-0d04-0410-961f-82ee72b054a4 -- Brian May <b...@debian.org>
