Thanks for these reports Daniel.
For future security reports, please include/add the relevent main reference to the URL field, and use title format:
cat/port: Update to <version> (fixes security vulnerability: <cve>)
Created attachment 225233 [details]
Add upstream patch to fix CVE-2021-3487.
Bug #256133 describes vulnerability fixed with this patch. So please commit it together.
With the commit of ports a0e752df8013 devel/binutils is updated to 2.37. So this bug report should be closed now.
^Triage: Quarterly is still affected, bug 251385 was not marked for MFH.
A commit in branch 2021Q3 references this bug:
Author: Yasuhiro Kimura <email@example.com>
AuthorDate: 2021-08-13 10:55:57 +0000
Commit: Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2021-08-13 10:55:57 +0000
devel/binutils: Add fix for CVE-2021-3487
The CVE is fixed in main in a0e752df8013. Merging that would mean merging other
changes to other ports and doing more exp-runs, so we just backport the fix in
the quarterly branch to avoid too much disruption.
VuXML entry to be handled in PR 256133.
PR: 255368, 251385
Reported by: diizzy@
devel/binutils/Makefile | 2 +-
devel/binutils/files/patch-CVE-2021-3487 (new) | 75 ++++++++++++++++++++++++++
2 files changed, 76 insertions(+), 1 deletion(-)