Mageia Bugzilla – Attachment 10880 Details for
Bug 18987
binutils several new security issues
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Summaries of POC tests after update
poc_tests_afterwards (text/plain), 13.15 KB, created by
Len Lawrence
on 2019-03-24 07:27:23 CET
(
hide
)
Description:
Summaries of POC tests after update
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-03-24 07:27:23 CET
Size:
13.15 KB
patch
obsolete
>mga6, x86_64 > >*After update* > >------------------------------------------------------------------------------- > >CVE-2018-10372 >https://sourceware.org/bugzilla/show_bug.cgi?id=23064 >$ readelf -w bug3 >readelf: bug3: Warning: Section 0 has an out of range sh_link value of 4160749568 >readelf: bug3: Warning: Section 1 has an out of range sh_link value of 16769792 >readelf: bug3: Warning: Section 2 has an out of range sh_link value of 33554432 >readelf: bug3: Warning: Section 6 has an out of range sh_link value of 247 >readelf: bug3: Warning: Section 7 has an out of range sh_link value of 2130706432 >readelf: bug3: Warning: Section 11 has an out of range sh_link value of 774778414 >readelf: bug3: Warning: Section 12 has an out of range sh_link value of 774778414 >readelf: bug3: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers >[...] > >This looks different at the start - possible sign of a fix. > >------------------------------------------------------------------------------- > >CVE-2018-10373 >https://bugzilla.suse.com/show_bug.cgi?id=1090997&_ga=2.211092119.384073384.1553193400-55335118.1500933662 >This file is definitely intended for ASAN testing. >Trying this: >$ nm -l crash3 > U abort@@GLIBC_2.2.5 >00000000004076b0 T adjust_relative_path elfcomm.c:398 >[...] >000000000040fb00 T xrealloc ./xmalloc.c:175 > U __xstat@@GLIBC_2.2.5 >0000000000410060 T xstrdup ./xstrdup.c:32 > >This ran to the end, producing the same output as before. >This does not tell us much. > >------------------------------------------------------------------------------- > >CVE-2018-10534 >https://sourceware.org/bugzilla/show_bug.cgi?id=23110 >$ objcopy objcopy_crash.input /dev/null >objcopy: /dev/null: Data Directory size (ffffffffffedffff) exceeds space left in section (1f9fe) >objcopy:/dev/null: error copying private BFD data: file in wrong format > >Good result - no segfault. > >------------------------------------------------------------------------------- > >CVE-2018-10535 >The POC and result are the same as for CVE-2018-10534. > >------------------------------------------------------------------------------- > >CVE-2018-6323 >https://bugzilla.suse.com/show_bug.cgi?id=1077745&_ga=2.222233242.384073384.1553193400-55335118.1500933662 >$ objdump -x c2 >objdump: c2: bad value > >This differs - possibly good result. >------------------------------------------------------------------------------- > >CVE-2018-6543 >$ objdump -g c3 >objdump: warning: c3 has a corrupt section with a size (ffffffff) larger than the file size >objdump: warning: c3 has a corrupt section with a size (ffffffff) larger than the file size >objdump: warning: c3 has a corrupt section with a size (ffffffff) larger than the file size >c3: file format elf32-i386 >Section '.eh_frame' has an invalid size: 0xffffffff. > >Good result. > >------------------------------------------------------------------------------- > >CVE-2018-6759 >https://bugzilla.suse.com/show_bug.cgi?id=1079741&_ga=2.226372248.384073384.1553193400-55335118.1500933662 >$ valgrind --leak-check=full nm -A -a -l -S -s --special-syms --synthetic -D binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1 >[...] >==29261== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) > >Error count differs from before. Maybe good. > >------------------------------------------------------------------------------- > >CVE-2018-6872 >https://sourceware.org/bugzilla/show_bug.cgi?id=22788 >$ objdump -x id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 >id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16: file format elf32-i386 >id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 >architecture: i386, flags 0x00000112: >[...] >00000000 w *UND* 00000000 _ITM_registerTMCloneTable >080482a8 g F .init 00000000 _init > >Upstream, this aborted under ASAN. > >Same output as before - so no conclusion. > >------------------------------------------------------------------------------- > >CVE-2018-7208 >https://sourceware.org/bugzilla/show_bug.cgi?id=22741 >$ objcopy objcopy_crash.input >objcopy: strcDUjF: Data Directory size (ffffffffffedffff) exceeds space left in section (1f9fe) >objcopy:strcDUjF: error copying private BFD data: file in wrong format > >Good result. > >------------------------------------------------------------------------------- > >CVE-2018-7568 >https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf >$ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_parse_die.elf >binutils_nm_integer_overflow_parse_die.elf: U __cxa_begin_catch >binutils_nm_integer_overflow_parse_die.elf:0000000000400770 0000000000e677e6 T __cxa_begin_catch@plt >[...] >binutils_nm_integer_overflow_parse_die.elf: U _ZSt9terminatev >binutils_nm_integer_overflow_parse_die.elf:0000000000400750 T _ZSt9terminatev@plt > >Since the output is identical this may be a good result - impossible to be sure. > >------------------------------------------------------------------------------- > >CVE-2018-7569 >https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_read_attribute_value.elf >$ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_read_attribute_value.elf >Output was similar to that of the previous CVE. > >Inconclusive. > >------------------------------------------------------------------------------- > >CVE-2018-7570 >https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf >$ objcopy binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf >objcopy: stpDHKjB: warning: allocated section `.init_array' not in segment >objcopy: stpDHKjB: warning: allocated section `.fini_array' not in segment >objcopy: stpDHKjB: warning: allocated section `.jcr' not in segment >objcopy: stpDHKjB: warning: allocated section `.dynamic' not in segment >objcopy: stpDHKjB: warning: allocated section `.got' not in segment >objcopy: stpDHKjB: warning: allocated section `.got.plt' not in segment >objcopy: stpDHKjB: warning: allocated section `.data' not in segment >objcopy:binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf[.data]: File truncated > >Same as before - probably a good result. > >------------------------------------------------------------------------------- > >CVE-2018-7642 >https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf >$ objcopy binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf > >objcopy:binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf: file format not recognized > >Good result - no segfault. > >------------------------------------------------------------------------------- > >CVE-2018-7643 >https://github.com/skysider/FuzzVuln/blob/master/binutils_objdump_integer_overflow_display_debug_ranges.elf >$ objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --dwarf-check binutils_objdump_integer_overflow_display_debug_ranges.elf >EXEC_P, HAS_SYMS >start address 0x00000000004007b0 >[...] > INIT_ARRAY 0x0000000000601de0 >:objdump: Warning: Invalid length 0x0010001c in FDE at 0x000210 >objdump: Warning: Range lists in .debug_ranges section start at 0xff000000 >[...] > >The whole file is analyzed and then disassembled - apparently successfully, just as before, but ends with: >objdump: binutils_objdump_integer_overflow_display_debug_ranges.elf: unsupported relocation type 0x73 >objdump: binutils_objdump_integer_overflow_display_debug_ranges.elf: bad value > >No definite conclusion but it looks like it differs from the before case, only slightly. > >------------------------------------------------------------------------------- > >CVE-2018-8945 >This has two reproducers at https://bugzilla.suse.com/show_bug.cgi?id=1086608&_ga=2.184871851.384073384.1553193400-55335118.1500933662 >$ objdump -x -W bfd_section_from_shdr_pe >[...] >objdump: bfd_section_from_shdr_pe: no group info for section '' >objdump: bfd_section_from_shdr_pe: bad value > >$ objdump -x -W bfd_section_from_shdr_elf >objdump: warning: bfd_section_from_shdr_elf has a corrupt section with a size (ffffffff) larger than the file size >objdump: bfd_section_from_shdr_elf: error: attribute section '.dynsym' too big: 0xffffffff >objdump: bfd_section_from_shdr_elf: invalid operation > >Different outcomes, so something has changed. Possible good result. > >------------------------------------------------------------------------------- > >Suse claims to have fixed the issues covered by the CVEs listed in comment 25. > >CVE-2017-12488 >https://bugzilla.suse.com/show_bug.cgi?id=1052518&_ga=2.259881994.1290866901.1553368644-55335118.1500933662 >$ objdump -x use-after-free >In archive use-after-free: >In nested archive : >objdump: : File format not recognized > >Same as before - possibly already fixed. > >------------------------------------------------------------------------------- > >No reproducers for CVE-2017-1245{0,2,3,4,6} > >------------------------------------------------------------------------------- > >CVE-2017-12799 >https://bugzilla.suse.com/show_bug.cgi?id=1053347&_ga=2.202293137.1290866901.1553368644-55335118.1500933662 >$ objdump -S heapoverflow-objdump >objdump: heapoverflow-objdump: File truncated > >Same output. > >------------------------------------------------------------------------------- > >CVE-2017-13757 >https://bugzilla.suse.com/show_bug.cgi?id=1056312&_ga=2.265638031.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_elf_i386_get_synthetic_symtab >No looping and zero errors, otherwise very similar > >Looks like the exploit had been taken care of in the update. > >------------------------------------------------------------------------------- > >CVE-2017-14128 >https://bugzilla.suse.com/show_bug.cgi?id=1057139&_ga=2.35043361.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_read_1_byte > >Behaviour was similar to the reproducer for CVE-2017-13757, with and without valgrind. > >$ objdump -x -Wl -R -SD objdump_hoobr_read_1_byte >[...] >objdump: Reading section 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info failed because: file truncated > >------------------------------------------------------------------------------- > >CVE-2017-14129 >https://bugzilla.suse.com/show_bug.cgi?id=1057144&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_parse_comp_unit > >See CVE-2017-14128. > >------------------------------------------------------------------------------- > >CVE-2017-14130 >https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 >https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.234771486.1290866901.1553368644-55335118.1500933662 >$ objdump -x -Wl -R -SD objdump_hoobr_bfd_elf_attr_strdup >objdump: objdump_hoobr_bfd_elf_attr_strdup: invalid string offset 808464432 >= 244 for section `.shstrtab' >objdump: objdump_hoobr_bfd_elf_attr_strdup: Bad value > >No change in output. > >------------------------------------------------------------------------------- > >No reproducer for CVE-2017-14333 (DOS) > >------------------------------------------------------------------------------- > >CVE-2017-14529 >https://bugzilla.suse.com/show_bug.cgi?id=1059050&_ga=2.192847658.1290866901.1553368644-55335118.1500933662 >$ valgrind objdump -x -Wl -R -SD objdump_hoobr_bfd_getl16 >[...] >==30086== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) > >------------------------------------------------------------------------------- > >No reproducer for CVE-2017-14729 (DOS) > >------------------------------------------------------------------------------- > >CVE-2017-14745 >https://sourceware.org/bugzilla/show_bug.cgi?id=22148 >There is no specific instruction for this file but the comments refer to using objdump, so using it in the most basic way: >$ objdump -x crash_1 >This produced a full dump without any obvious errors. > >Same as before. > >------------------------------------------------------------------------------- > >CVE-2017-14974 >https://bugzilla.suse.com/show_bug.cgi?id=1061241&_ga=2.192796842.1290866901.1553368644-55335118.1500933662 >$ objdump -S crash.elf >No crash. Full disassembly of the file. >The issue is DOS via null pointer dereference then crash. > >Same as before. > >------------------------------------------------------------------------------- > >There are dozens more which I am skipping. The last in the list is >CVE-2017-9955 >https://bugzilla.suse.com/show_bug.cgi?id=1046094&_ga=2.189119659.1290866901.1553368644-55335118.1500933662 >$ objdump -S CVE-2017-9955.poc1 > /dev/null >Nothing reported. > >$ objdump -S CVE-2017-9955.poc2 > /dev/null >objdump: warning: CVE-2017-9955.poc2 has a corrupt section with a size (800000001a) larger than the file size >objdump: error: CVE-2017-9955.poc2(.init) is too large (0x800000001a bytes) >objdump: Reading section .init failed because: memory exhausted > >This is different, more detail given. >Likely a good result. > > >The general conclusion is that some of the fixes have definitely been introduced with this update and that several of them are possibly older. > > > >
mga6, x86_64 *After update* ------------------------------------------------------------------------------- CVE-2018-10372 https://sourceware.org/bugzilla/show_bug.cgi?id=23064 $ readelf -w bug3 readelf: bug3: Warning: Section 0 has an out of range sh_link value of 4160749568 readelf: bug3: Warning: Section 1 has an out of range sh_link value of 16769792 readelf: bug3: Warning: Section 2 has an out of range sh_link value of 33554432 readelf: bug3: Warning: Section 6 has an out of range sh_link value of 247 readelf: bug3: Warning: Section 7 has an out of range sh_link value of 2130706432 readelf: bug3: Warning: Section 11 has an out of range sh_link value of 774778414 readelf: bug3: Warning: Section 12 has an out of range sh_link value of 774778414 readelf: bug3: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers [...] This looks different at the start - possible sign of a fix. ------------------------------------------------------------------------------- CVE-2018-10373 https://bugzilla.suse.com/show_bug.cgi?id=1090997&_ga=2.211092119.384073384.1553193400-55335118.1500933662 This file is definitely intended for ASAN testing. Trying this: $ nm -l crash3 U abort@@GLIBC_2.2.5 00000000004076b0 T adjust_relative_path elfcomm.c:398 [...] 000000000040fb00 T xrealloc ./xmalloc.c:175 U __xstat@@GLIBC_2.2.5 0000000000410060 T xstrdup ./xstrdup.c:32 This ran to the end, producing the same output as before. This does not tell us much. ------------------------------------------------------------------------------- CVE-2018-10534 https://sourceware.org/bugzilla/show_bug.cgi?id=23110 $ objcopy objcopy_crash.input /dev/null objcopy: /dev/null: Data Directory size (ffffffffffedffff) exceeds space left in section (1f9fe) objcopy:/dev/null: error copying private BFD data: file in wrong format Good result - no segfault. ------------------------------------------------------------------------------- CVE-2018-10535 The POC and result are the same as for CVE-2018-10534. ------------------------------------------------------------------------------- CVE-2018-6323 https://bugzilla.suse.com/show_bug.cgi?id=1077745&_ga=2.222233242.384073384.1553193400-55335118.1500933662 $ objdump -x c2 objdump: c2: bad value This differs - possibly good result. ------------------------------------------------------------------------------- CVE-2018-6543 $ objdump -g c3 objdump: warning: c3 has a corrupt section with a size (ffffffff) larger than the file size objdump: warning: c3 has a corrupt section with a size (ffffffff) larger than the file size objdump: warning: c3 has a corrupt section with a size (ffffffff) larger than the file size c3: file format elf32-i386 Section '.eh_frame' has an invalid size: 0xffffffff. Good result. ------------------------------------------------------------------------------- CVE-2018-6759 https://bugzilla.suse.com/show_bug.cgi?id=1079741&_ga=2.226372248.384073384.1553193400-55335118.1500933662 $ valgrind --leak-check=full nm -A -a -l -S -s --special-syms --synthetic -D binutils_2-30-51_nm_unchecked_strlen_bfd_get_debug_link_info_1 [...] ==29261== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Error count differs from before. Maybe good. ------------------------------------------------------------------------------- CVE-2018-6872 https://sourceware.org/bugzilla/show_bug.cgi?id=22788 $ objdump -x id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16: file format elf32-i386 id_000025,sig_06,src_000072,op_int32,pos_6216,val_be_+16 architecture: i386, flags 0x00000112: [...] 00000000 w *UND* 00000000 _ITM_registerTMCloneTable 080482a8 g F .init 00000000 _init Upstream, this aborted under ASAN. Same output as before - so no conclusion. ------------------------------------------------------------------------------- CVE-2018-7208 https://sourceware.org/bugzilla/show_bug.cgi?id=22741 $ objcopy objcopy_crash.input objcopy: strcDUjF: Data Directory size (ffffffffffedffff) exceeds space left in section (1f9fe) objcopy:strcDUjF: error copying private BFD data: file in wrong format Good result. ------------------------------------------------------------------------------- CVE-2018-7568 https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_parse_die.elf $ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_parse_die.elf binutils_nm_integer_overflow_parse_die.elf: U __cxa_begin_catch binutils_nm_integer_overflow_parse_die.elf:0000000000400770 0000000000e677e6 T __cxa_begin_catch@plt [...] binutils_nm_integer_overflow_parse_die.elf: U _ZSt9terminatev binutils_nm_integer_overflow_parse_die.elf:0000000000400750 T _ZSt9terminatev@plt Since the output is identical this may be a good result - impossible to be sure. ------------------------------------------------------------------------------- CVE-2018-7569 https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_read_attribute_value.elf $ nm -A -a -l -S -s --special-syms --synthetic -D binutils_nm_integer_overflow_read_attribute_value.elf Output was similar to that of the previous CVE. Inconclusive. ------------------------------------------------------------------------------- CVE-2018-7570 https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf $ objcopy binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf objcopy: stpDHKjB: warning: allocated section `.init_array' not in segment objcopy: stpDHKjB: warning: allocated section `.fini_array' not in segment objcopy: stpDHKjB: warning: allocated section `.jcr' not in segment objcopy: stpDHKjB: warning: allocated section `.dynamic' not in segment objcopy: stpDHKjB: warning: allocated section `.got' not in segment objcopy: stpDHKjB: warning: allocated section `.got.plt' not in segment objcopy: stpDHKjB: warning: allocated section `.data' not in segment objcopy:binutils_objcopy_null_pointer_dereference_assign_file_positions_for_non_load_sections.elf[.data]: File truncated Same as before - probably a good result. ------------------------------------------------------------------------------- CVE-2018-7642 https://github.com/skysider/FuzzVuln/blob/master/binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf $ objcopy binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf objcopy:binutils_objcopy_null_pointer_dereference_aout_32_swap_std_reloc_out.elf: file format not recognized Good result - no segfault. ------------------------------------------------------------------------------- CVE-2018-7643 https://github.com/skysider/FuzzVuln/blob/master/binutils_objdump_integer_overflow_display_debug_ranges.elf $ objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --dwarf-check binutils_objdump_integer_overflow_display_debug_ranges.elf EXEC_P, HAS_SYMS start address 0x00000000004007b0 [...] INIT_ARRAY 0x0000000000601de0 :objdump: Warning: Invalid length 0x0010001c in FDE at 0x000210 objdump: Warning: Range lists in .debug_ranges section start at 0xff000000 [...] The whole file is analyzed and then disassembled - apparently successfully, just as before, but ends with: objdump: binutils_objdump_integer_overflow_display_debug_ranges.elf: unsupported relocation type 0x73 objdump: binutils_objdump_integer_overflow_display_debug_ranges.elf: bad value No definite conclusion but it looks like it differs from the before case, only slightly. ------------------------------------------------------------------------------- CVE-2018-8945 This has two reproducers at https://bugzilla.suse.com/show_bug.cgi?id=1086608&_ga=2.184871851.384073384.1553193400-55335118.1500933662 $ objdump -x -W bfd_section_from_shdr_pe [...] objdump: bfd_section_from_shdr_pe: no group info for section '' objdump: bfd_section_from_shdr_pe: bad value $ objdump -x -W bfd_section_from_shdr_elf objdump: warning: bfd_section_from_shdr_elf has a corrupt section with a size (ffffffff) larger than the file size objdump: bfd_section_from_shdr_elf: error: attribute section '.dynsym' too big: 0xffffffff objdump: bfd_section_from_shdr_elf: invalid operation Different outcomes, so something has changed. Possible good result. ------------------------------------------------------------------------------- Suse claims to have fixed the issues covered by the CVEs listed in comment 25. CVE-2017-12488 https://bugzilla.suse.com/show_bug.cgi?id=1052518&_ga=2.259881994.1290866901.1553368644-55335118.1500933662 $ objdump -x use-after-free In archive use-after-free: In nested archive : objdump: : File format not recognized Same as before - possibly already fixed. ------------------------------------------------------------------------------- No reproducers for CVE-2017-1245{0,2,3,4,6} ------------------------------------------------------------------------------- CVE-2017-12799 https://bugzilla.suse.com/show_bug.cgi?id=1053347&_ga=2.202293137.1290866901.1553368644-55335118.1500933662 $ objdump -S heapoverflow-objdump objdump: heapoverflow-objdump: File truncated Same output. ------------------------------------------------------------------------------- CVE-2017-13757 https://bugzilla.suse.com/show_bug.cgi?id=1056312&_ga=2.265638031.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_elf_i386_get_synthetic_symtab No looping and zero errors, otherwise very similar Looks like the exploit had been taken care of in the update. ------------------------------------------------------------------------------- CVE-2017-14128 https://bugzilla.suse.com/show_bug.cgi?id=1057139&_ga=2.35043361.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_read_1_byte Behaviour was similar to the reproducer for CVE-2017-13757, with and without valgrind. $ objdump -x -Wl -R -SD objdump_hoobr_read_1_byte [...] objdump: Reading section 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.debug_info failed because: file truncated ------------------------------------------------------------------------------- CVE-2017-14129 https://bugzilla.suse.com/show_bug.cgi?id=1057144&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_parse_comp_unit See CVE-2017-14128. ------------------------------------------------------------------------------- CVE-2017-14130 https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.21909691.1290866901.1553368644-55335118.1500933662 https://bugzilla.suse.com/show_bug.cgi?id=1057149&_ga=2.234771486.1290866901.1553368644-55335118.1500933662 $ objdump -x -Wl -R -SD objdump_hoobr_bfd_elf_attr_strdup objdump: objdump_hoobr_bfd_elf_attr_strdup: invalid string offset 808464432 >= 244 for section `.shstrtab' objdump: objdump_hoobr_bfd_elf_attr_strdup: Bad value No change in output. ------------------------------------------------------------------------------- No reproducer for CVE-2017-14333 (DOS) ------------------------------------------------------------------------------- CVE-2017-14529 https://bugzilla.suse.com/show_bug.cgi?id=1059050&_ga=2.192847658.1290866901.1553368644-55335118.1500933662 $ valgrind objdump -x -Wl -R -SD objdump_hoobr_bfd_getl16 [...] ==30086== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ------------------------------------------------------------------------------- No reproducer for CVE-2017-14729 (DOS) ------------------------------------------------------------------------------- CVE-2017-14745 https://sourceware.org/bugzilla/show_bug.cgi?id=22148 There is no specific instruction for this file but the comments refer to using objdump, so using it in the most basic way: $ objdump -x crash_1 This produced a full dump without any obvious errors. Same as before. ------------------------------------------------------------------------------- CVE-2017-14974 https://bugzilla.suse.com/show_bug.cgi?id=1061241&_ga=2.192796842.1290866901.1553368644-55335118.1500933662 $ objdump -S crash.elf No crash. Full disassembly of the file. The issue is DOS via null pointer dereference then crash. Same as before. ------------------------------------------------------------------------------- There are dozens more which I am skipping. The last in the list is CVE-2017-9955 https://bugzilla.suse.com/show_bug.cgi?id=1046094&_ga=2.189119659.1290866901.1553368644-55335118.1500933662 $ objdump -S CVE-2017-9955.poc1 > /dev/null Nothing reported. $ objdump -S CVE-2017-9955.poc2 > /dev/null objdump: warning: CVE-2017-9955.poc2 has a corrupt section with a size (800000001a) larger than the file size objdump: error: CVE-2017-9955.poc2(.init) is too large (0x800000001a bytes) objdump: Reading section .init failed because: memory exhausted This is different, more detail given. Likely a good result. The general conclusion is that some of the fixes have definitely been introduced with this update and that several of them are possibly older.
View Attachment As Raw
Actions:
View
Attachments on
bug 18987
:
10879
| 10880