svn commit: r382177 - head/security/vuxml

Ryan Steinmetz zi at FreeBSD.org
Tue Mar 24 22:15:14 UTC 2015 

Brooks,

In the future, please use 'make validate' before committing anything to
vuln.xml.

(You may need to run 'make install' from the vuxml port directory before
'make validate' will work though).

Thanks!
-r

On (03/24/15 21:32), Brooks Davis wrote:
>Author: brooks
>Date: Tue Mar 24 21:32:04 2015
>New Revision: 382177
>URL: https://svnweb.freebsd.org/changeset/ports/382177
>QAT: https://qat.redports.org/buildarchive/r382177/
>
>Log:
>  The ancient version of binutils in the cross-binutils port suffers for
>  several vulnerabilities.
>
>  This also effects devel/mingw64-binutils.
>
>  PR:		198816
>  Reported by:	Sevan Janiyan <venture37 at geeklan.co.uk>
>
>Modified:
>  head/security/vuxml/vuln.xml
>
>Modified: head/security/vuxml/vuln.xml
>==============================================================================
>--- head/security/vuxml/vuln.xml	Tue Mar 24 21:26:18 2015	(r382176)
>+++ head/security/vuxml/vuln.xml	Tue Mar 24 21:32:04 2015	(r382177)
>@@ -57,6 +57,56 @@ Notes:
>
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+  <vuln vid="f6a014cd-d268-11e4-8339-001e679db764">
>+    <topic>GNU binutils -- multiple vulnerabilities</topic>
>+    <affects>
>+      <package>
>+	<name>devel/cross-binutils</name>
>+	<range><lt>2.25</lt></range>
>+      </package>
>+      <package>
>+	<name>devel/mingw64-binutils</name>
>+	<range><lt>2.25</lt></range>
>+      </package>
>+    </affects>
>+    <description>
>+      <body xmlns="http://www.w3.org/1999/xhtml">
>+	<p>US-CERT/NIST reports:</p>
>+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501">
>+	  <p>The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU
>+	  binutils 2.24 and earlier allows remote attackers to cause a
>+	  denial of service (out-of-bounds write) and possibly have other
>+	  unspecified impact via a crafted NumberOfRvaAndSizes field in the
>+	  AOUT header in a PE executable.</p>
>+	</blockquote>
>+	<p>US-CERT/NIST reports:</p>
>+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502">
>+	  <p>Heap-based buffer overflow in the pe_print_edata function in
>+	  bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote
>+	  attackers to cause a denial of service (crash) and possibly have
>+	  other unspecified impact via a truncated export table in a PE
>+	  file.</p>
>+	</blockquote>
>+	<p>US-CERT/NIST reports:</p>
>+	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503">
>+	  <p>Stack-based buffer overflow in the ihex_scan function in
>+	  bfd/ihex.c in GNU binutils 2.24 and earlier allows remote
>+	  attackers to cause a denial of service (crash) and possibly have
>+	  other unspecified impact via a crafted ihex file.</p>
>+	</blockquote>
>+      </body>
>+    </description>
>+    <references>
>+      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501</url>
>+      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502</url>
>+      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503</url>
>+    </references>
>+    <dates>
>+      <discovery>2014-12-09</discovery>
>+      <entry>2015-03-24</entry>
>+    </dates>
>+  </vuln>
>+
>   <vuln vid="996bce94-d23d-11e4-9463-9cb654ea3e1c">
>     <topic>libuv -- incorrect revocation order while relinquishing privileges</topic>
>     <affects>
>

-- 
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228  EDC6 1EF8 BA6B D028 46D7

More information about the svn-ports-head mailing list