[Git][security-tracker-team/security-tracker][master] 12 commits: Reference gcc (libiberty) upstream fix for CVE-2018-12641

Tue Jan 1 22:16:53 GMT 2019

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c9ad896c by Salvatore Bonaccorso at 2019-01-01T21:29:34Z
Reference gcc (libiberty) upstream fix for CVE-2018-12641

- - - - -
f4715e6e by Salvatore Bonaccorso at 2019-01-01T21:34:03Z
Reference upstream gcc (libiberty) fix for upstream bug 85454

Adresses the CVEs CVE-2018-12697, CVE-2018-12698, CVE-2018-12699 and
CVE-2018-12700 for binutils.

Cf. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454

- - - - -
7af3d1f6 by Salvatore Bonaccorso at 2019-01-01T21:37:58Z
CVE-2018-12934: Add additional upstream bug reference

The upstream issue https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453
was actually a duplicate report of
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950 .

- - - - -
28b23596 by Salvatore Bonaccorso at 2019-01-01T21:48:22Z
Track fix for CVE-2018-1735{8,9}/binutils in experimental version

The fix is present in the experimentalversion since the import of
2.31.51.20181022 from trunk.

- - - - -
5c952362 by Salvatore Bonaccorso at 2019-01-01T21:53:05Z
Track fixed version for CVE-2018-17360/binutils via experimental

The fix landed in experimental via the import of the new upstream
version 2.31.51.20181022 based on trunk.

- - - - -
32a1a728 by Salvatore Bonaccorso at 2019-01-01T21:57:25Z
Reference gcc (libiberty) fix for various CVEs

CVE-2018-18701, CVE-2018-18700, CVE-2018-18484, CVE-2018-17985 and
CVE-2018-17794 for binutils all refer to the same upstream fix in the
underlying libibierty issue fixed by
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
..

- - - - -
dcb45789 by Salvatore Bonaccorso at 2019-01-01T22:01:37Z
CVE-2018-18309/binutils fixed in experimental

The new upstream version 2.31.51.20181022 imported to experimental
adressed CVE-2018-18309.

- - - - -
b73b0707 by Salvatore Bonaccorso at 2019-01-01T22:06:20Z
CVE-2018-18605/binutils fixed in experimental

- - - - -
469bd6cf by Salvatore Bonaccorso at 2019-01-01T22:07:44Z
CVE-2018-18606/binutils fixed in experimental

- - - - -
5a888b98 by Salvatore Bonaccorso at 2019-01-01T22:08:47Z
CVE-2018-18607/binutils fixed in experimental

- - - - -
c9979e88 by Salvatore Bonaccorso at 2019-01-01T22:11:43Z
CVE-2018-19931/binutils fixed in experimental with 2.31.51.20181204-1

- - - - -
6aea9d29 by Salvatore Bonaccorso at 2019-01-01T22:12:46Z
CVE-2018-19932/binutils fixed in experimental via 2.31.51.20181204-1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5850,12 +5850,14 @@ CVE-2018-19935 (ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remot
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77020
 	NOTE: https://git.php.net/?p=php-src.git;a=commit;h=648fc1e369fc05fb9200a42c7938912236b2a318
 CVE-2018-19932 (An issue was discovered in the Binary File Descriptor (BFD) library ...)
+	[experimental] - binutils 2.31.51.20181204-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23932
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7
 CVE-2018-19931 (An issue was discovered in the Binary File Descriptor (BFD) library ...)
+	[experimental] - binutils 2.31.51.20181204-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
@@ -11957,11 +11959,13 @@ CVE-2018-18701 (An issue was discovered in cp-demangle.c in GNU libiberty, as ..
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-18700 (An issue was discovered in cp-demangle.c in GNU libiberty, as ...)
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-18699 (An issue was discovered in GoPro gpmf-parser 1.2.1. There is an ...)
 	NOT-FOR-US: GoPro gpmf-parser
 CVE-2018-18698 (An issue was discovered on Xiaomi Mi A1 ...)
@@ -12193,18 +12197,21 @@ CVE-2018-18609
 CVE-2018-18608 (DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined ...)
 	NOT-FOR-US: DedeCMS
 CVE-2018-18607 (An issue was discovered in elf_link_input_bfd in elflink.c in the ...)
+	[experimental] - binutils 2.31.51.20181204-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23805
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a
 CVE-2018-18606 (An issue was discovered in the merge_strings function in merge.c in the ...)
+	[experimental] - binutils 2.31.51.20181204-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23806
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc
 CVE-2018-18605 (A heap-based buffer over-read issue was discovered in the function ...)
+	[experimental] - binutils 2.31.51.20181204-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
@@ -12527,6 +12534,7 @@ CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as ..
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...)
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
@@ -13001,6 +13009,7 @@ CVE-2018-18310 (An invalid memory address dereference was discovered in ...)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23752
 	NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html
 CVE-2018-18309 (An issue was discovered in the Binary File Descriptor (BFD) library ...)
+	[experimental] - binutils 2.31.51.20181022-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
@@ -13938,6 +13947,7 @@ CVE-2018-17985 (An issue was discovered in cp-demangle.c in GNU libiberty, as ..
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-17984 (An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 ...)
 	NOT-FOR-US: ISPConfig
 CVE-2018-17982
@@ -14428,6 +14438,7 @@ CVE-2018-17794 (An issue was discovered in cplus-dem.c in GNU libiberty, as dist
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2015-9268 (Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe ...)
 	{DLA-1602-1}
 	- nsis 2.50-1
@@ -15417,18 +15428,21 @@ CVE-2018-17362
 CVE-2018-17361 (Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attackers ...)
 	NOT-FOR-US: WeaselCMS
 CVE-2018-17360 (An issue was discovered in the Binary File Descriptor (BFD) library ...)
+	[experimental] - binutils 2.31.51.20181022-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23685
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d
 CVE-2018-17359 (An issue was discovered in the Binary File Descriptor (BFD) library ...)
+	[experimental] - binutils 2.31.51.20181022-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102
 CVE-2018-17358 (An issue was discovered in the Binary File Descriptor (BFD) library ...)
+	[experimental] - binutils 2.31.51.20181022-1
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
@@ -26483,6 +26497,7 @@ CVE-2018-12934 (remember_Ktype in cplus-dem.c in GNU libiberty, as distributed i
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453
+	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23059
 CVE-2018-12933 (PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers to ...)
 	- wine 4.0~rc1-1 (low)
@@ -27051,24 +27066,28 @@ CVE-2018-12700 (A Stack Exhaustion issue was discovered in debug_write_type in d
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-12699 (finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a ...)
 	- binutils <unfixed> (low)
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-12698 (demangle_template in cplus-dem.c in GNU libiberty, as distributed in ...)
 	- binutils <unfixed> (low)
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-12697 (A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) ...)
 	- binutils <unfixed> (low)
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-12696 (mao10cms 6 allows XSS via the article page. ...)
 	NOT-FOR-US: mao10cms
 CVE-2018-12695 (mao10cms 6 allows XSS via the m=bbs&a=index page. ...)
@@ -27194,6 +27213,7 @@ CVE-2018-12641 (An issue was discovered in arm_pt in cplus-dem.c in GNU libibert
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23058
+	NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9
 CVE-2018-12640 (The webService binary on Insteon HD IP Camera White 2864-222 devices ...)
 	NOT-FOR-US: Insteon
 CVE-2018-12639



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/50c003f1579227bebe54f027310e939356156379...6aea9d298a872b2ac5d05c75803c8cd65df783df

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/50c003f1579227bebe54f027310e939356156379...6aea9d298a872b2ac5d05c75803c8cd65df783df
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190101/96313c60/attachment-0001.html>
