Bug 31161

Summary: binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-1579 CVE-2023-1972 CVE-2023-2558[4578]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Base system maintainers <basesystem>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero, tmb
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: binutils-2.39-3.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 29820    

Description David Walser 2022-11-21 22:48:51 CET 
SUSE has issued an advisory today (November 21):
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013047.html
David Walser 2022-11-21 22:49:01 CET

Whiteboard: (none) => MGA8TOO
Blocks: (none) => 29820

Comment 2 David Walser 2023-01-17 23:43:37 CET 
Fedora has issued an advisory on January 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KR2QVMWPG65ADZNESANZ2ZCVKKIOXB3J/

The issue is fixed upstream in 2.40 (gdb may also be affected).

CC: (none) => tmb
Summary: binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-27943 CVE-2022-3812[67] => binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67]

Comment 3 David Walser 2023-03-14 02:35:02 CET 
Fedora has issued an advisory on March 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ISGOHU4UHYPN2BYVXLXBJH5IVDC3EIOW/

It fixes one additional issue (CVE-2023-25587) and according to the RedHat bug, there may be more (CVE-2023-25584, CVE-2023-25585, CVE-2023-25588).

Summary: binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] => binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-25587

Comment 4 David Walser 2023-04-05 02:53:41 CEST 
Fedora has issued an advisory on April 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7QO6DMWFYQDCGFLUQ4K7MW4Q323U4UU5/

It fixes one additional issue (CVE-2023-1579).

Summary: binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-25587 => binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-1579 CVE-2023-25587

Comment 5 David Walser 2023-05-07 00:56:59 CEST 
Fedora has issued an advisory on April 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PDUJK5SPEJYUN5GYBGTJJLXMBBFLY5NE/

It fixes one additional issue (CVE-2023-1972).

Summary: binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-1579 CVE-2023-25587 => binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-1579 CVE-2023-1972 CVE-2023-25587

Comment 6 David Walser 2023-05-18 18:07:01 CEST 
(In reply to David Walser from comment #2)
> Fedora has issued an advisory on January 12:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/KR2QVMWPG65ADZNESANZ2ZCVKKIOXB3J/
> 
> The issue is fixed upstream in 2.40 (gdb may also be affected).

RedHat has issued an advisory for CVE-2022-4285 on May 16:
https://access.redhat.com/errata/RHSA-2023:2873
Comment 7 David Walser 2023-06-20 14:36:55 CEST 
CVE-2023-2558[458]:
https://ubuntu.com/security/notices/USN-6101-1

Summary: binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-1579 CVE-2023-1972 CVE-2023-25587 => binutils new security issues CVE-2021-3530 CVE-2021-3648 CVE-2021-46195 CVE-2022-4285 CVE-2022-27943 CVE-2022-3812[67] CVE-2023-1579 CVE-2023-1972 CVE-2023-2558[4578]

Comment 8 Thomas Backlund 2023-06-27 19:47:07 CEST 
CVE-2021-3530 fixed since 2.38, commit:
commit f10f8617a302f45dae721eae0cd659911f03d864
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 31 14:36:31 2022 +0000


CVE-2021-3648 rejected as its a duplicate for CVE-2021-3530


CVE-2021-46195 is also reference to fix for CVE-2021-3530 


CVE-2022-4285 fixed in Cauldron since upstream:
commit 5c831a3c7f3ca98d6aba1200353311e1a1f84c70
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Oct 19 15:09:12 2022 +0100


CVE-2022-27943 fixed in Cauldron since upstream:
commit d8efadbdd94772562fed8fba9ce553587a62550f
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jul 4 13:57:12 2022 +0100


CVE-2022-3812[67] rejected, no security issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38127


CVE-2023-1579 fixed in Cauldron 2.40 since upstream:
commit 3e307d538c351aa9327cbad672c884059ecc20dd
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 11 12:13:46 2023 +0000


CVE-2023-25584 fixed in Cauldron 2.40 since:
commit 77c225bdeb410cf60da804879ad41622f5f1aa44
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 12 18:28:49 2022 +1030


CVE-2023-25585 fixed in Cauldron 2.40 since:
commit 65cf035b8dc1df5d8020e0b1449514a3c42933e7
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 12 19:01:08 2022 +1030


CVE-2023-25587 rejected, no security issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25587


CVE-2023-25588 fixed in Cauldron 2.40 since:
commit d12f8998d2d086f0a6606589e5aedb7147e6f2f1
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Oct 14 10:30:21 2022 +1030


and finally, CVE-2023-1972 fixed in cauldron in: binutils-2.40-11.mga9 just submitted.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 9 Nicolas Salguero 2024-01-12 10:32:17 CET 
Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED