This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: vulnerabilities in libbfd (CVE-2014-beats-me)


Hi Maciej, Hi Michal,

$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2

FYI, this test case has now been fixed.

In any case: the bottom line is that if you are used to running
strings on random files, or depend on any libbfd-based tools for
forensic purposes, you should probably change your habits. For strings
specifically, invoking it with the -a parameter seems to inhibit the
use of libbfd. Distro vendors may want to consider making the -a mode
default, too.

There are also alternatives to the GNU Binutils strings program. eu-strings for example, or even "od -S 4".


It is true however that there are still vulnerabilities in libbfd, and I for one would happy to see new bug reports exposing them. I can assure you that any such bug report reaching me will be treated seriously, and will be investigated and fixed as soon as possible.

Cheers
  Nick



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]