CVE-2014-8737

Publication date 9 December 2014

Last updated 24 July 2024

Ubuntu priority

Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
binutils	14.10 utopic	Fixed 2.24.90.20141014-0ubuntu3.1
	14.04 LTS trusty	Fixed 2.24-5ubuntu3.1
	12.04 LTS precise	Fixed 2.22-6ubuntu1.2
	10.04 LTS lucid	Fixed 2.20.1-3ubuntu7.2

Notes

sbeattie

second commit fixes up leaving behind temporary files even on error

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
binutils	Upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5e186ece2feebb46e63ff6bb2d2490aad0d5a724

CVE-2014-8737

Status

Notes

sbeattie

Patch details

References

Related Ubuntu Security Notices (USN)

Other references