Bug 255368 - devel/binutils: Backport patch fixing CVE-2021-3487
Summary: devel/binutils: Backport patch fixing CVE-2021-3487
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Fernando Apesteguía
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Keywords: needs-qa, security
Depends on: 251385 256133
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-24 18:01 UTC by Daniel Engberg
Modified: 2021-08-18 06:18 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (jflopezfernandez)
koobs: merge-quarterly?


Attachments
Patch file (3.28 KB, patch)
2021-05-24 20:07 UTC, Yasuhiro Kimura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer 2021-04-24 18:01:33 UTC
https://nvd.nist.gov/vuln/detail/CVE-2021-3487
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-25 00:39:36 UTC
Thanks for these reports Daniel. 

For future security reports, please include/add the relevent main reference to the URL field, and use title format:

  cat/port: Update to <version> (fixes security vulnerability: <cve>)
Comment 2 Yasuhiro Kimura 2021-05-24 20:07:55 UTC
Created attachment 225233 [details]
Patch file

Add upstream patch to fix CVE-2021-3487.

Bug #256133 describes vulnerability fixed with this patch. So please commit it together.
Comment 3 Yasuhiro Kimura 2021-08-10 18:50:02 UTC
With the commit of ports a0e752df8013 devel/binutils is updated to 2.37. So this bug report should be closed now.
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2021-08-11 01:28:57 UTC
^Triage: Quarterly is still affected, bug 251385  was not marked for MFH.
Comment 5 commit-hook freebsd_committer 2021-08-13 11:08:57 UTC
A commit in branch 2021Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6

commit 9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-08-13 10:55:57 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2021-08-13 10:55:57 +0000

    devel/binutils: Add fix for CVE-2021-3487

    The CVE is fixed in main in a0e752df8013. Merging that would mean merging other
    changes to other ports and doing more exp-runs, so we just backport the fix in
    the quarterly branch to avoid too much disruption.

    VuXML entry to be handled in PR 256133.

    PR:     255368, 251385
    Reported by:    diizzy@
    Security:       CVE-2021-3487

 devel/binutils/Makefile                        |  2 +-
 devel/binutils/files/patch-CVE-2021-3487 (new) | 75 ++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)