Comment 1 Kubilay Kocak 2021-04-25 00:39:36 UTC

Thanks for these reports Daniel. 

For future security reports, please include/add the relevent main reference to the URL field, and use title format:

  cat/port: Update to <version> (fixes security vulnerability: <cve>)

Comment 2 Yasuhiro Kimura 2021-05-24 20:07:55 UTC

Created attachment 225233 [details]
Patch file

Add upstream patch to fix CVE-2021-3487.

Bug #256133 describes vulnerability fixed with this patch. So please commit it together.

Comment 3 Yasuhiro Kimura 2021-08-10 18:50:02 UTC

With the commit of ports a0e752df8013 devel/binutils is updated to 2.37. So this bug report should be closed now.

Comment 4 Kubilay Kocak 2021-08-11 01:28:57 UTC

^Triage: Quarterly is still affected, bug 251385  was not marked for MFH.

Comment 5 commit-hook 2021-08-13 11:08:57 UTC

A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6

commit 9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-08-13 10:55:57 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2021-08-13 10:55:57 +0000

    devel/binutils: Add fix for CVE-2021-3487

    The CVE is fixed in main in a0e752df8013. Merging that would mean merging other
    changes to other ports and doing more exp-runs, so we just backport the fix in
    the quarterly branch to avoid too much disruption.

    VuXML entry to be handled in PR 256133.

    PR:     255368, 251385
    Reported by:    diizzy@
    Security:       CVE-2021-3487

 devel/binutils/Makefile                        |  2 +-
 devel/binutils/files/patch-CVE-2021-3487 (new) | 75 ++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)