CVE-2014-8737

Description

Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.

How to fix CVE-2014-8737

To remediate CVE-2014-8737, upgrade the affected package to a fixed version below.

• Debian/binutils—upgrade to 2.24.90.20141124-1 or later
• Debian/binutils-mingw-w64—upgrade to 5.2 or later

Is CVE-2014-8737 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.24.90.20141124-1
• from 0, < 5.2

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-8737