Your message dated Mon, 15 Jan 2007 22:12:20 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Close
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: binutils
Version: 2.16.1cvs20060413-1
Severity: normal
Tags: security patch
CVE-2006-2362: "Buffer overflow in getsym in tekhex.c in libbfd in Free
Software Foundation GNU Binutils before 20060423, as used by GNU
strings, allows context-dependent attackers to cause a denial of service
(application crash) and possibly execute arbitrary code via a file with
a crafted Tektronix Hex Format (TekHex) record in which the length
character is not a valid hexadecimal character."
This is bugzilla #2584 [1]. The entry contains a test case; I have
verified that it causes the described behavior with `strings` from
2.16.1cvs20060413-1. There is a proposed patch [2] but I have not yet
verified it.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://sourceware.org/bugzilla/show_bug.cgi?id=2584
[2] http://sourceware.org/bugzilla/attachment.cgi?id=978&action=view
--- End Message ---
--- Begin Message ---
Version: 2.17-1
CVSS Severity: 7.0 (High)
Canonical rolled a 2.15-5ubuntu2.3 for this. Should a DSA be issued?
--- End Message ---
