CVE-2017-8396

NameCVE-2017-8396
DescriptionThe Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
binutils (PTS)wheezy2.22-8+deb7u2vulnerable
wheezy (security)2.22-8+deb7u3vulnerable
jessie2.25-5+deb8u1vulnerable
stretch2.28-5fixed
buster, sid2.29.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
binutilssource(unstable)2.28-5medium

Notes

[jessie] - binutils <ignored> (Minor issue)
[wheezy] - binutils <no-dsa> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=21432
Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab

Search for package or bug name: Reporting problems