DescriptionThe pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
binutils (PTS)wheezy2.22-8+deb7u2vulnerable
wheezy (security)2.22-8+deb7u3vulnerable
buster, sid2.30-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[stretch] - binutils <ignored> (Minor issue)
[jessie] - binutils <ignored> (Minor issue)
[wheezy] - binutils <ignored> (Minor issue);h=4d465c689a8fb27212ef358d0aee89d60dee69a6;h=dcaaca89e8618eba35193c27afcb1cfa54f74582

Search for package or bug name: Reporting problems