* CVE-2023-25586 fix on binutils-2.38
@ 2023-06-15 9:49 Sundeep KOKKONDA
2023-06-15 10:17 ` Nick Clifton
0 siblings, 1 reply; 2+ messages in thread
From: Sundeep KOKKONDA @ 2023-06-15 9:49 UTC (permalink / raw)
To: binutils
[-- Attachment #1: Type: text/plain, Size: 456 bytes --]
Hello,
We've observed while working on CVE-2023-25586 that the binutils 2.38 has its last update on 08/2022.
Does this branch is still under maintenance/support by binutils? And is there any plan to fix the CVE-2023-25586 for 2.38 branch? (This CVE is fixed in 2.40 and when we tried to backport we've noticed it has a lot of dependencies to take.)
In general, how long a branch will be maintained and updated by binutils?
Thanks,
Sundeep.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: CVE-2023-25586 fix on binutils-2.38
2023-06-15 9:49 CVE-2023-25586 fix on binutils-2.38 Sundeep KOKKONDA
@ 2023-06-15 10:17 ` Nick Clifton
0 siblings, 0 replies; 2+ messages in thread
From: Nick Clifton @ 2023-06-15 10:17 UTC (permalink / raw)
To: Sundeep KOKKONDA, binutils
Hi Sundeep,
> We've observed while working on CVE-2023-25586 that the binutils 2.38 has its last update on 08/2022.
> Does this branch is still under maintenance/support by binutils?
Effectively: "no".
Our current policy is to support the latest release branch and the
current development branch. Backports of fixes to earlier branches
are certainly allowed, but this is normally only be done in response
to specific requests from contributors.
So, if it really matters to you we can backport the fix for
CVE-2023-25586 to the binutils-2_38 branch. But this is not going
to happen automatically for other CVE fixes.
It is also worth noting that we normally only make one release from
a branch, unless there is a serious bug or problem that needs to be
resolved. There have been point releases in the past, eg 2.36.1 and
2.35.2, but these tend to be the exception, not the rule. Thus
backporting a fix to a branch would normally only benefit people who
check out the branch sources and then build from them.
Given that CVE-2023-25586 is triggered by a fuzzed test case I would
not consider that serious enough to warrant backporting its patch and
then creating a point release from the 2.38 branch.
Note - the above only applies to the upstream GNU Binutils sources.
Most distributions have their own maintainers for the binutils and
they often do their own backporting. So for example Fedora 37 uses
a version of the binutils based upon the upstream 2.38 release but
it also contains backported fixes for CVE-2022-4285 and CVE 2022-38128.
Cheers
Nick
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-06-15 10:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-15 9:49 CVE-2023-25586 fix on binutils-2.38 Sundeep KOKKONDA
2023-06-15 10:17 ` Nick Clifton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).