CVE-2017-12450

NameCVE-2017-12450
DescriptionThe alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted vms alpha file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
binutils (PTS)wheezy2.22-8+deb7u2vulnerable
wheezy (security)2.22-8+deb7u3vulnerable
jessie2.25-5+deb8u1vulnerable
stretch2.28-5vulnerable
buster2.29.1-4fixed
sid2.29.1-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
binutilssource(unstable)2.29-9medium

Notes

[stretch] - binutils <ignored> (Minor issue)
[jessie] - binutils <ignored> (Minor issue)
[wheezy] - binutils <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=21813
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8a2df5e2df374289e00ecd8f099eb46d76ef982e

Search for package or bug name: Reporting problems