Re: Why no security support for binutils? What to do about it?
On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote: > BFD and binutils have not been designed to process untrusted data. > Usually, this does not matter at all. For example, no security > boundary is crossed when linking object files that have been just been > compiled. There are definitely situations where vulnerabilities in binutils (mostly objdump) are important and a security boundary could be crossed, for example; running lintian on ftp-master, malware reverse engineering and inspection of binaries for hardening features. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Why no security support for binutils? What to do about it?
* Andreas: > there is no security support for binutils in debian stable > (buster). Given the importance of binutils this seems to me to be a real > problem. BFD and binutils have not been designed to process untrusted data. Usually, this does not matter at all. For example, no security boundary is crossed when linking object files that have been just been compiled. All these vulnerabilities do not seem very relevant, so most distributions (not just Debian) focus on fixing other issues instead.