Hi I have also started to look into CVE-2016-6131. I agree with Markus that this is not a security issue. Well it is a issue for the availability of the tool itself, that is that if you stuble on it the tool may crash. So in a sense it is a low impact on availability. However I hardly think we should consider availability impact on build tools. RedHat seem to have come to the same conclusion: https://access.redhat.com/security/cve/cve-2016-6131
Due to this I have marked this as no-dsa (excelt for binutils where I let Brian judge that as he is working on it). If you disagree please complain and/or reverse what I did. This means that I have also removed the following packages from dla-needed.txt. - gdb - gcc-h8300-hms - ht - binutils-h8300-hms - valgrind I did not remove binutils from dla-needed.txt as Brian had claimed that and it was discussed above that it may be good to have safe fixes even though they are not strictly needed. Best regards // Ola On Thu, Jul 14, 2016 at 9:19 AM, Brian May <b...@debian.org> wrote: > I have CCed the package maintainer, the two people in the Uploaders > header, and the person who made the last security update of binutils. > > I have a LTS update of binutils for wheezy, that fixes most of the > pending minor security issues. All except CVE-2016-4491 to be > precise. Attached is a copy of the patch from the current version, below > is a URL to a version available for testing. > > https://people.debian.org/~bam/debian/pool/main/b/binutils/ > > I have not found any regressions in my testing of this package. > > If there are no objections I plan to upload this next Monday (18th). > -- > Brian May <b...@debian.org> > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
