Bug 255368

Summary: devel/binutils: Backport patch fixing CVE-2021-3487
Product: Ports & Packages Reporter: Daniel Engberg <diizzy>
Component: Individual Port(s)Assignee: Fernando ApesteguĂ­a <fernape>
Status: Closed FIXED    
Severity: Affects Many People CC: fernape, jflopezfernandez, ports-secteam, yasu
Priority: Normal Keywords: needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (jflopezfernandez)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3487
Bug Depends on: 251385, 256133    
Bug Blocks:    
Description Flags
Patch file none

Description Daniel Engberg freebsd_committer 2021-04-24 18:01:33 UTC
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-25 00:39:36 UTC
Thanks for these reports Daniel. 

For future security reports, please include/add the relevent main reference to the URL field, and use title format:

  cat/port: Update to <version> (fixes security vulnerability: <cve>)
Comment 2 Yasuhiro Kimura freebsd_committer 2021-05-24 20:07:55 UTC
Created attachment 225233 [details]
Patch file

Add upstream patch to fix CVE-2021-3487.

Bug #256133 describes vulnerability fixed with this patch. So please commit it together.
Comment 3 Yasuhiro Kimura freebsd_committer 2021-08-10 18:50:02 UTC
With the commit of ports a0e752df8013 devel/binutils is updated to 2.37. So this bug report should be closed now.
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2021-08-11 01:28:57 UTC
^Triage: Quarterly is still affected, bug 251385  was not marked for MFH.
Comment 5 commit-hook freebsd_committer 2021-08-13 11:08:57 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6

commit 9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-08-13 10:55:57 +0000
Commit:     Fernando ApesteguĂ­a <fernape@FreeBSD.org>
CommitDate: 2021-08-13 10:55:57 +0000

    devel/binutils: Add fix for CVE-2021-3487

    The CVE is fixed in main in a0e752df8013. Merging that would mean merging other
    changes to other ports and doing more exp-runs, so we just backport the fix in
    the quarterly branch to avoid too much disruption.

    VuXML entry to be handled in PR 256133.

    PR:     255368, 251385
    Reported by:    diizzy@
    Security:       CVE-2021-3487

 devel/binutils/Makefile                        |  2 +-
 devel/binutils/files/patch-CVE-2021-3487 (new) | 75 ++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)