This is the mail archive of the
mailing list for the binutils project.
Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- From: Yury Gribov <y dot gribov at samsung dot com>
- To: Nicholas Clifton <nickc at redhat dot com>, "Maciej W. Rozycki" <macro at linux-mips dot org>, Michal Zalewski <lcamtuf at coredump dot cx>
- Cc: bugtraq <bugtraq at securityfocus dot com>, binutils at sourceware dot org
- Date: Thu, 30 Oct 2014 16:09:47 +0300
- Subject: Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- Authentication-results: sourceware.org; auth=none
- References: <CALx_OUBq4iRGZNPLdCuqXmehVV=6vhXN3J16ytzM91cFqVSAoQ at mail dot gmail dot com> <alpine dot LFD dot 2 dot 11 dot 1410271451411 dot 3413 at eddie dot linux-mips dot org> <54521A7F dot 4050501 at redhat dot com>
On 10/30/2014 02:01 PM, Nicholas Clifton wrote:
Hi Maciej, Hi Michal,
$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
FYI, this test case has now been fixed.
In any case: the bottom line is that if you are used to running
strings on random files, or depend on any libbfd-based tools for
forensic purposes, you should probably change your habits. For strings
specifically, invoking it with the -a parameter seems to inhibit the
use of libbfd. Distro vendors may want to consider making the -a mode
There are also alternatives to the GNU Binutils strings program.
eu-strings for example, or even "od -S 4".
It is true however that there are still vulnerabilities in libbfd, and I
for one would happy to see new bug reports exposing them. I can assure
you that any such bug report reaching me will be treated seriously, and
will be investigated and fixed as soon as possible.
We could cook a (simple) ELF fuzzer and run it on Binutils with
AddressSanitizer enabled. Perhaps there is one I'm unaware of?
Traditional fuzzers like afl are necessarily limited for highly