USN-2496-1
- Source
- https://ubuntu.com/security/notices/USN-2496-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2496-1.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/USN-2496-1
- Upstream
- Related
- Published
- 2015-02-09T21:39:27.371075Z
- Modified
- 2025-10-13T04:34:05Z
- Summary
- binutils vulnerabilities
- Details
-
Michal Zalewski discovered that the setup_group function in libbfd in GNU binutils did not properly check group headers in ELF files. An attacker could use this to craft input that could cause a denial of service (application crash) or possibly execute arbitrary code. (CVE-2014-8485)
Hanno Böck discovered that the bfdXXiswapaouthdr_in function in libbfd in GNU binutils allowed out-of-bounds writes. An attacker could use this to craft input that could cause a denial of service (application crash) or possibly execute arbitrary code. (CVE-2014-8501)
Hanno Böck discovered a heap-based buffer overflow in the peprintedata function in libbfd in GNU binutils. An attacker could use this to craft input that could cause a denial of service (application crash) or possibly execute arbitrary code. (CVE-2014-8502)
Alexander Cherepanov discovered multiple directory traversal vulnerabilities in GNU binutils. An attacker could use this to craft input that could delete arbitrary files. (CVE-2014-8737)
Alexander Cherepanov discovered the bfdslurpextendedname_table function in libbfd in GNU binutils allowed invalid writes when handling extended name tables in an archive. An attacker could use this to craft input that could cause a denial of service (application crash) or possibly execute arbitrary code. (CVE-2014-8738)
Hanno Böck discovered a stack-based buffer overflow in the ihex_scan function in libbfd in GNU binutils. An attacker could use this to craft input that could cause a denial of service (application crash). (CVE-2014-8503)
Michal Zalewski discovered a stack-based buffer overflow in the srec_scan function in libbfd in GNU binutils. An attacker could use this to to craft input that could cause a denial of service (application crash); the GNU C library's Fortify Source printf protection should prevent the possibility of executing arbitrary code. (CVE-2014-8504)
Michal Zalewski discovered that the srec_scan function in libbfd in GNU binutils allowed out-of-bounds reads. An attacker could use this to craft input to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS. (CVE-2014-8484)
Sang Kil Cha discovered multiple integer overflows in the objallocalloc function and objalloc_alloc macro in binutils. This could allow an attacker to cause a denial of service (application crash). This issue only affected Ubuntu 12.04 LTS and Ubuntu 10.04 LTS. (CVE-2012-3509)
Alexander Cherepanov and Hanno Böck discovered multiple additional out-of-bounds reads and writes in GNU binutils. An attacker could use these to craft input that could cause a denial of service (application crash) or possibly execute arbitrary code. A few of these issues may be limited in exposure to a denial of service (application abort) by the GNU C library's Fortify Source printf protection.
The strings(1) utility in GNU binutils used libbfd by default when examining executable object files; unfortunately, libbfd was not originally developed with the expectation of hostile input. As a defensive measure, the behavior of strings has been changed to default to 'strings --all' behavior, which does not use libbfd; use the new argument to strings, '--data', to recreate the old behavior.
- References
-
- https://ubuntu.com/security/notices/USN-2496-1
- https://ubuntu.com/security/CVE-2012-3509
- https://ubuntu.com/security/CVE-2014-8484
- https://ubuntu.com/security/CVE-2014-8485
- https://ubuntu.com/security/CVE-2014-8501
- https://ubuntu.com/security/CVE-2014-8502
- https://ubuntu.com/security/CVE-2014-8503
- https://ubuntu.com/security/CVE-2014-8504
- https://ubuntu.com/security/CVE-2014-8737
- https://ubuntu.com/security/CVE-2014-8738
Affected packages
Ubuntu:14.04:LTS / binutils
Package
- Name
- binutils
- Purl
- pkg:deb/ubuntu/binutils@2.24-5ubuntu3.1?arch=source&distro=trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.24-5ubuntu3.1
Affected versions
2.*
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "2.24-5ubuntu3.1",
"binary_name": "binutils"
},
{
"binary_version": "2.24-5ubuntu3.1",
"binary_name": "binutils-dev"
},
{
"binary_version": "2.24-5ubuntu3.1",
"binary_name": "binutils-multiarch"
},
{
"binary_version": "2.24-5ubuntu3.1",
"binary_name": "binutils-multiarch-dev"
},
{
"binary_version": "2.24-5ubuntu3.1",
"binary_name": "binutils-source"
},
{
"binary_version": "2.24-5ubuntu3.1",
"binary_name": "binutils-static"
}
]
}
Database specific
cves_map
{
"ecosystem": "Ubuntu:14.04:LTS",
"cves": [
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8484"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8485"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8501"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8502"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8503"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8504"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8737"
},
{
"severity": [
{
"type": "Ubuntu",
"score": "medium"
}
],
"id": "CVE-2014-8738"
}
]
}