Date: Tue, 24 Mar 2015 18:15:09 -0400 From: Ryan Steinmetz <zi@FreeBSD.org> To: Brooks Davis <brooks@FreeBSD.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r382177 - head/security/vuxml Message-ID: <20150324221509.GA37845@exodus.zi0r.com> In-Reply-To: <201503242132.t2OLW4hH013602@svn.freebsd.org> References: <201503242132.t2OLW4hH013602@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brooks, In the future, please use 'make validate' before committing anything to vuln.xml. (You may need to run 'make install' from the vuxml port directory before 'make validate' will work though). Thanks! -r On (03/24/15 21:32), Brooks Davis wrote: >Author: brooks >Date: Tue Mar 24 21:32:04 2015 >New Revision: 382177 >URL: https://svnweb.freebsd.org/changeset/ports/382177 >QAT: https://qat.redports.org/buildarchive/r382177/ > >Log: > The ancient version of binutils in the cross-binutils port suffers for > several vulnerabilities. > > This also effects devel/mingw64-binutils. > > PR: 198816 > Reported by: Sevan Janiyan <venture37@geeklan.co.uk> > >Modified: > head/security/vuxml/vuln.xml > >Modified: head/security/vuxml/vuln.xml >============================================================================== >--- head/security/vuxml/vuln.xml Tue Mar 24 21:26:18 2015 (r382176) >+++ head/security/vuxml/vuln.xml Tue Mar 24 21:32:04 2015 (r382177) >@@ -57,6 +57,56 @@ Notes: > > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; >+ <vuln vid="f6a014cd-d268-11e4-8339-001e679db764"> >+ <topic>GNU binutils -- multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>devel/cross-binutils</name> >+ <range><lt>2.25</lt></range> >+ </package> >+ <package> >+ <name>devel/mingw64-binutils</name> >+ <range><lt>2.25</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml">; >+ <p>US-CERT/NIST reports:</p> >+ <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501">; >+ <p>The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU >+ binutils 2.24 and earlier allows remote attackers to cause a >+ denial of service (out-of-bounds write) and possibly have other >+ unspecified impact via a crafted NumberOfRvaAndSizes field in the >+ AOUT header in a PE executable.</p> >+ </blockquote> >+ <p>US-CERT/NIST reports:</p> >+ <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502">; >+ <p>Heap-based buffer overflow in the pe_print_edata function in >+ bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote >+ attackers to cause a denial of service (crash) and possibly have >+ other unspecified impact via a truncated export table in a PE >+ file.</p> >+ </blockquote> >+ <p>US-CERT/NIST reports:</p> >+ <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503">; >+ <p>Stack-based buffer overflow in the ihex_scan function in >+ bfd/ihex.c in GNU binutils 2.24 and earlier allows remote >+ attackers to cause a denial of service (crash) and possibly have >+ other unspecified impact via a crafted ihex file.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501</url>; >+ <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502</url>; >+ <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503</url>; >+ </references> >+ <dates> >+ <discovery>2014-12-09</discovery> >+ <entry>2015-03-24</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="996bce94-d23d-11e4-9463-9cb654ea3e1c"> > <topic>libuv -- incorrect revocation order while relinquishing privileges</topic> > <affects> > -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150324221509.GA37845>