vulnerabilities in libbfd (CVE-2014-beats-me)
Nicholas Clifton
nickc@redhat.com
Thu Oct 30 11:01:00 GMT 2014
Hi Maciej, Hi Michal,
>> $ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
FYI, this test case has now been fixed.
>> In any case: the bottom line is that if you are used to running
>> strings on random files, or depend on any libbfd-based tools for
>> forensic purposes, you should probably change your habits. For strings
>> specifically, invoking it with the -a parameter seems to inhibit the
>> use of libbfd. Distro vendors may want to consider making the -a mode
>> default, too.
There are also alternatives to the GNU Binutils strings program.
eu-strings for example, or even "od -S 4".
It is true however that there are still vulnerabilities in libbfd, and I
for one would happy to see new bug reports exposing them. I can assure
you that any such bug report reaching me will be treated seriously, and
will be investigated and fixed as soon as possible.
Cheers
Nick
More information about the Binutils
mailing list