Hi, I've been running a little scriptlet to test whether I could get mail sent to my ISP inbox. The full script runs esync and glsa-check, but naturally I didn't want to sync 700 times, so I just ran the glsa-check section.
To my surprise, I had an open GLSA (I just fixed everything a couple of days ago), namely 200506-01, in binutils and elfutils (I don't have elfutils). Hmm, buffer overflow error, sounds bad. All right, but I updated binutils earlier today, and usually when one does that it's supposed to plug the hole, right? So I investigated further. Here's the GLSA: glsa-check --dump 200506-01 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. GLSA 200506-01: Binutils, elfutils: Buffer overflow ============================================================================ Synopsis: Various utilities from the GNU Binutils and elfutils packages are vulnerable to a heap based buffer overflow, potentially resulting in the execution of arbitrary code. Announced on: June 01, 2005 Last revised on: June 01, 2005: 01 Affected package: sys-devel/binutils Affected archs: All Vulnerable: <2.16-r1 Unaffected: >=~2.14.90.0.8-r3 >=~2.15.90.0.1.1-r5 >=~2.15.90.0.3-r5 >=~2.15.91.0.2-r2 >=~2.15.92.0.2-r10 >=2.16-r1 ... which if you look at it, is rather contradictory, since all versions less than 2.16-r1 are vulnerable, but it appears that every version >2.14.90.whatever are unaffected.... but fine. Here's what I've got on the system: eix binutils * sys-devel/binutils Available versions: *2.14 2.14.90.0.8-r3 *2.15 2.15.90.0.1.1-r5 *2.15.90.0.3-r4 *2.15.90.0.3-r5 *2.15.91.0.2-r1 *2.15.91.0.2-r2 2.15.92.0.2-r10 *2.15.94.0.2.2 *~2.16-r1 *~2.16.1 *2.16.90.0.3 Installed: 2.15.92.0.2-r10 2.14.90.0.8-r1 2.16-r1 2.16.1 Homepage: http://sources.redhat.com/binutils/ Description: Tools necessary to build programs Now why the hell I've got 4 versions of binutils installed I don't know, but it would seem that I am likely affected, so I proceeded to fix the glsa: glsa-check --fix 200506-01 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. fixing 200506-01 >>> merging sys-devel/binutils-2.16-r1 and so binutils-2.16-r1 was re-emerged. Fine. I ran the script again (I was originally testing my mta, remember?), expecting to get a mail saying that I had no open GLSA vulnerablilities, but... the mail said that I was vulnerable to 200506-01. Right, I thought, I've got 4 versions of binutils, maybe it's another one. Well, it wasn't. I've run this GLSA scriptlet 3 times, gotten the same mail, and run glsa-check --pretend 200506-01 several times. All this GLSA will do to apply itself is to re-emerge the same version of binutils, which apparently doesn't fix the problem, because it still claims I'm affected by it. Which I may well be. So my questions are: 1) Am I supposed to have 4 versions of binutils in the first place? 2) How do I get this GLSA to actually apply, or know that it's applied, or whatever? Thanks, Holly -- gentoo-user@gentoo.org mailing list
