Bug 18987 - binutils several new security issues
Summary: binutils several new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/694783/
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2016-07-19 16:28 CEST by David Walser
Modified: 2019-05-12 22:59 CEST (History)
8 users (show)

See Also:
Source RPM: binutils-2.25.1-5.mga6.src.rpm
CVE:
Status comment: Could be fixed by updating to 2.29.1 + upstream fixes in 2.29 branch


Attachments
Brief reports of reproducer tests before updating (10.85 KB, text/plain)
2019-03-23 22:05 CET, Len Lawrence
Details
Summaries of POC tests after update (13.15 KB, text/plain)
2019-03-24 07:27 CET, Len Lawrence
Details

Description David Walser 2016-07-19 16:28:30 CEST
Debian-LTS has issued an advisory on July 18:
http://lwn.net/Alerts/694764/

I'm not sure which versions are affected or fixed.
Comment 2 David Walser 2016-08-11 18:57:53 CEST
CC'ing Christiaan who helped with the last security update for this package, and Pascal who might also be able to help.

CC: (none) => cjw, pterjan

Comment 3 David Walser 2017-03-18 18:09:50 CET
More security issues that have been fixed upstream in binutils:
http://openwall.com/lists/oss-security/2017/03/16/8
Comment 4 David Walser 2017-04-10 10:15:48 CEST
CVE-2017-7614:
http://openwall.com/lists/oss-security/2017/04/10/16
Comment 5 David Walser 2017-05-20 12:15:01 CEST
CVE-2017-903[89] and CVE-2017-904[0-4]:
http://openwall.com/lists/oss-security/2017/05/18/7
Comment 6 Dave Hodgins 2017-06-25 03:22:28 CEST
Increasing importance to release blocker

Priority: Normal => release_blocker
CC: (none) => davidwhodgins

Comment 7 Dave Hodgins 2017-06-25 03:39:04 CEST
Changed my mind after reading the links in more detail. While the bugs can cause
crashes when running programs such as readelf, nm, etc., I don't see any path
for exploitation of these crashes, to enable compromising the security.

Priority: release_blocker => Normal

Comment 8 David Walser 2017-06-25 03:40:43 CEST
But are we ever going to fix any of this?  This has been completely ignored for almost an entire year.
Comment 9 Thomas Backlund 2017-07-01 00:27:24 CEST

For cauldron, CVE-2016-4487/4488/4489/4490/4492/4493/6131 and CVE-2017-6969/7210 are fixed in binutils-2.25.1-6.mga6 currently building...


The other CVEs:

CVE-2017-6965/6, CVE-2017-7209, CVE-2017-7614, CVE-2017-90[38-43] alters binutils wayt too much to be safe to push at this point, I will review  those later again to see if they are safe enough to fix in oldder binutils..

Then there is also a CVE-2016-4491 that seems to cause more grief uptream for various packages so that it might be best to not ever backport them... the final fixes seems to be heading to upcoming binutils 2.29...


For mga5 I havent decided yet if its worth the hassle to backport all theese
David Walser 2017-07-07 04:23:16 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 10 David Walser 2017-09-26 12:02:08 CEST
CVE-2017-14729:
http://openwall.com/lists/oss-security/2017/09/26/6
Comment 14 David Walser 2017-12-05 23:16:28 CET
CVE-2014-9939 CVE-2017-12448 CVE-2017-12450
CVE-2017-12452 CVE-2017-12453 CVE-2017-12454
CVE-2017-12456 CVE-2017-12799 CVE-2017-13757
CVE-2017-14128 CVE-2017-14129 CVE-2017-14130
CVE-2017-14333 CVE-2017-14529 CVE-2017-14729
CVE-2017-14745 CVE-2017-14974 CVE-2017-6965
CVE-2017-6966 CVE-2017-6969 CVE-2017-7209
CVE-2017-7210 CVE-2017-7223 CVE-2017-7224
CVE-2017-7225 CVE-2017-7226 CVE-2017-7227
CVE-2017-7299 CVE-2017-7300 CVE-2017-7301
CVE-2017-7302 CVE-2017-7303 CVE-2017-7304
CVE-2017-7614 CVE-2017-8392 CVE-2017-8393
CVE-2017-8394 CVE-2017-8395 CVE-2017-8396
CVE-2017-8397 CVE-2017-8398 CVE-2017-8421
CVE-2017-9038 CVE-2017-9039 CVE-2017-9040
CVE-2017-9041 CVE-2017-9042 CVE-2017-9043
CVE-2017-9044 CVE-2017-9746 CVE-2017-9747
CVE-2017-9748 CVE-2017-9750 CVE-2017-9755
CVE-2017-9756 CVE-2017-9954 CVE-2017-9955:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00008.html
Comment 15 David Walser 2017-12-27 00:59:39 CET
We still need to update this one.
Comment 16 David Walser 2017-12-30 21:06:36 CET
Mageia 5 update moved to Bug 22288.

For Mageia 6, I think we should update to 2.29.1 (like openSUSE did in Comment 14), i.e. sync it with current Cauldron.  I would have done it myself, but this gave me pause:
http://svnweb.mageia.org/packages/cauldron/binutils/current/SPECS/binutils.spec?r1=1150574&r2=1150573&pathrev=1150574

(forcing the build requirement to GCC 7).  openSUSE has GCC 4.8, so it should build fine with GCC 5 in Mageia 6.

Whiteboard: MGA6TOO, MGA5TOO => (none)
Version: Cauldron => 6

Comment 17 Thomas Backlund 2017-12-30 22:06:06 CET
NO.

binutils is part of core toolchain, and we dont do big toolchain bump in a stable release.

I've started going through the CVEs to decide wich ones are important enoungh to fix...
Comment 18 David Walser 2017-12-30 22:10:48 CET
openSUSE managed to update it from 2.26.1 to 2.29.1 in a stable release, just FYI.
Comment 19 Thomas Backlund 2017-12-30 22:37:16 CET
Yeah, I know... 

I also know that there are still issues/regressions being fixed in upstream master branch slowly filtering down to 2.29 branch so it should behave properly... 

binutils 2.25.1 on the other hand has a known good stable behaviour...
Comment 20 David Walser 2017-12-30 23:12:30 CET
I'm glad we have someone that knows about these things :o)

If it would help, we don't have to address this one right away, if you want to wait until 2.29.x calms down.
David Walser 2018-02-02 18:12:19 CET

Status comment: (none) => Could be fixed by updating to 2.30

Comment 21 Thomas Backlund 2018-02-02 18:17:15 CET
yeah,, well 2.30 brings along some weirdness with some elf gabi breakage that got argued about from time to time and a few days before release and the suggestion was that some stuff may be reverted for 2.30.1...

On the good side, 2.29 branch has stabilized, so i might end up uing that and adding the possibly missing cve on top of that..
Comment 22 Thomas Backlund 2018-02-02 18:18:32 CET
by the looks of it... it seems fedora too intends to stay on 2.29 for F28... go figure...
David Walser 2018-02-02 18:41:36 CET

Status comment: Could be fixed by updating to 2.30 => Could be fixed by updating to 2.29.1 + upstream fixes in 2.29 branch

Comment 23 David Walser 2018-10-17 22:55:00 CEST
CVE-2018-10372 CVE-2018-10373
CVE-2018-10534 CVE-2018-10535 CVE-2018-6323
CVE-2018-6543 CVE-2018-6759 CVE-2018-6872
CVE-2018-7208 CVE-2018-7568 CVE-2018-7569
CVE-2018-7570 CVE-2018-7642 CVE-2018-7643
CVE-2018-8945:
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004678.html
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004683.html
Comment 24 David Walser 2018-10-23 16:59:14 CEST
openSUSE has issued advisories for this on October 18 and today (October 23):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00104.html
https://lists.opensuse.org/opensuse-updates/2018-10/msg00133.html
Comment 25 David Walser 2019-02-02 18:19:16 CET
CVE-2017-12448 CVE-2017-12449 CVE-2017-12450 CVE-2017-12451 CVE-2017-12452 CVE-2017-12453 CVE-2017-12454 CVE-2017-12455 CVE-2017-12456 CVE-2017-12457 CVE-2017-12458 CVE-2017-12459 CVE-2017-13710 CVE-2017-13716 CVE-2018-18700:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/37N6SA4WSBTFWAMPQXHSO7JRJQ6EIIO5/
Comment 26 David Walser 2019-02-02 23:09:23 CET
CVE-2018-18484:
https://bugzilla.redhat.com/show_bug.cgi?id=1645958

I have no idea what Fedora did to supposedly fix the 2017 CVEs in Comment 25.
Comment 27 David Walser 2019-02-02 23:19:58 CET
binutils 2.32 has been released today, hopefully addressing some or all of these:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=binutils/NEWS;hb=refs/tags/binutils-2_32
Comment 28 David Walser 2019-02-09 03:32:56 CET
binutils-2.32-1.mga7 uploaded for Cauldron by Thomas.
Comment 29 Thomas Backlund 2019-03-20 13:59:56 CET
Ok, so binutils 2.32 in cauldron seems to behave nicely and is stable, so lets use that to close all theese security issues...

SRPM:
binutils-2.32-1.mga6.src.rpm


i586:
binutils-2.32-1.mga6.i586.rpm
libbinutils-devel-2.32-1.mga6.i586.rpm


x86_64:
binutils-2.32-1.mga6.x86_64.rpm
lib64binutils-devel-2.32-1.mga6.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 30 Herman Viaene 2019-03-22 15:23:40 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Strange. older versions on newer update bugs....
Tried some command on own data:
$ ls -als
totaal 44
 4 drwxr-xr-x  2 tester6 tester6  4096 mrt 22 15:22 ./
 4 drwxr-xr-x 14 tester6 tester6  4096 mrt 19 11:51 ../
 4 -rw-r--r--  1 tester6 tester6   593 okt 25 16:39 10933.py
32 -rwxr-xr-x  1 tester6 tester6 31008 okt 25 16:40 samplesshd-cb*

$ ar -r testar.a *
ar: creating testar.a


$ ar -tv testar.a *
rw-r--r-- 1000/1000    593 Oct 25 16:39 2018 10933.py
rwxr-xr-x 1000/1000  31008 Oct 25 16:40 2018 samplesshd-cb
no entry testar.a in archive

$ size testar.a 
size: 10933.py: file format not recognized
   text	   data	    bss	    dec	    hex	filename
   7066	   1528	     32	   8626	   21b2	samplesshd-cb (ex testar.a)

$ strings testar.a 
!<arch>
/               1553264012  0     0     0       240       `
data_start
__libc_csu_fini
_start
argp_program_version
_fini
_IO_stdin_used
__data_start
and a lot more ......

Seems all OK to me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 31 Len Lawrence 2019-03-22 18:32:28 CET
Have been chasing POC files and testing them for x86_64.  The SuSE server has gone offline just now so shall report back later.

CC: (none) => tarazed25

Comment 32 Len Lawrence 2019-03-22 20:30:27 CET
@tmb, David

Just finished processing the CVE-2018 POC before the update.  Should QA follow up the 2017 CVEs as well?  This is the first time I have seen binutils in QA so need some guidance.
Comment 33 Len Lawrence 2019-03-23 22:05:42 CET
Created attachment 10879 [details]
Brief reports of reproducer tests before updating

This is not exhaustive, covering at least half of the CVEs.
Comment 34 Len Lawrence 2019-03-24 07:27:23 CET
Created attachment 10880 [details]
Summaries of POC tests after update
Comment 35 Len Lawrence 2019-03-24 08:40:59 CET
mga6, x86_64

POC reports are attached - they do not cover all the CVEs.

• ar:	  	Create, modify, and extract from archives
• nm:	  	List symbols from object files
• objcopy:	Copy and translate object files
• objdump:	Display information from object files
• ranlib:	Generate index to archive contents
• size:	  	List section sizes and total size
• strings:	List printable strings from files
• strip:	Discard symbols
• c++filt:	Filter to demangle encoded C++ symbols
• cxxfilt:	MS-DOS name for c++filt
• addr2line:	Convert addresses to file and line
• nlmconv:	Converts object code into an NLM
• windmc:	Generator for Windows message resources
• windres:	Manipulate Windows resources
• dlltool:	Create files needed to build and use DLLs
• readelf:	Display the contents of ELF format files
• elfedit:	Update the ELF header of ELF files

Some utility tests:

$ ar -rc reports.a binutils/report.*
$ ll reports*
-rw-r--r-- 1 lcl lcl 4770 Mar 24 06:51 reports.a
$ ar tv reports.a
rw-r--r-- 1000/1000   4446 Mar 23 20:55 2019 report.2017
rw-r--r-- 1000/1000    195 Mar 24 06:43 2019 report.18987

$ strings /usr/lib64/tcl8.6/Img1.4/libtkimg1.4.so | grep LIBC
GLIBC_2.2.5
GLIBC_2.14

$ size /usr/bin/ruby
   text	   data	    bss	    dec	    hex	filename
   2313	    616	      8	   2937	    b79	/usr/bin/ruby

$ objdump -f /bin/ruby
/bin/ruby:     file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x00000000004008b0

$ objdump -g /bin/alsamixer
objdump: Warning: tried: /usr/bin/alsamixer.debug
objdump: Warning: tried: .debug/alsamixer.debug
objdump: Warning: tried: alsamixer.debug
Contents of the .eh_frame section (loaded from /bin/alsamixer):
00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 1
  Data alignment factor: -8
  Return address column: 16
[...]

$ objdump -x /bin/alsamixer
/bin/alsamixer:     file format elf64-x86-64
/bin/alsamixer
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000404540
Program Header:
    PHDR off    0x0000000000000040 vaddr 0x0000000000400040 paddr 0x0000000000400040 align 2**3
[...]

$ readelf -hl /bin/ruby
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
[...]
Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000400040 0x0000000000400040
                 0x00000000000001f8 0x00000000000001f8  R E    0x8
  INTERP         0x0000000000000238 0x0000000000400238 0x0000000000400238
[...]

$ nm -A -a -l -S -s --special-syms --synthetic -D /bin/cinnamon
/bin/cinnamon:                 U atk_bridge_adaptor_init
/bin/cinnamon:0000000000401160 T atk_bridge_adaptor_init@plt
/bin/cinnamon:                 U bindtextdomain
/bin/cinnamon:                 U bind_textdomain_codeset
/bin/cinnamon:0000000000401280 T bind_textdomain_codeset@plt
/bin/cinnamon:0000000000401260 T bindtextdomain@plt
/bin/cinnamon:0000000000603200 B __bss_start
[...]

Working OK for 64bit also.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 36 Len Lawrence 2019-04-01 03:11:30 CEST
This one lacks an advisory.
Comment 37 Thomas Andrews 2019-04-02 20:55:11 CEST
Looks like Len and Herman have covered this one. Validating. I don't see a suggested advisory.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 38 Dave Hodgins 2019-04-04 15:45:52 CEST
Adding feedback marker till advisory available.

Keywords: (none) => feedback

Comment 39 Dave Hodgins 2019-04-10 21:21:08 CEST
Ping. Still need an advisory.
Comment 40 Thomas Backlund 2019-05-04 20:40:14 CEST
I forgot to add fixes for CVE-2019-9071/3/4/5/7, so added them now:


SRPMS:
binutils-2.32-1.1.mga6.src.rpm


i586:
binutils-2.32-1.1.mga6.i586.rpm
libbinutils-devel-2.32-1.1.mga6.i586.rpm


x86_64:
binutils-2.32-1.1.mga6.x86_64.rpm
lib64binutils-devel-2.32-1.1.mga6.x86_64.rpm

Keywords: feedback, validated_update => (none)
Whiteboard: MGA6-32-OK MGA6-64-OK => (none)
CC: (none) => tmb

Comment 41 Len Lawrence 2019-05-07 16:53:25 CEST
mga6, x86_64
Updated the two packages.

CVE-2019-9071
https://sourceware.org/bugzilla/show_bug.cgi?id=24227
reproducer inputs in bug_so_inputs.zip

Running this after the update.  Upstream reports stackoverflow/abort under asan.
$ nm -C so1
[...]
00000000 A _ZZ.__uuuuuoooooooooooooooooooooogocooAooooooooooooo3333333oirooocclcccccc9cccc�coooooooooodoooooooooooooouoooooooooooooooooooooooooooooooooooooooo�ooooooooo

No crash.
$ nm -C so2
No crash
$ nm -C so3
No crash
Treating this as a positive outcome.

CVE-2019-9073
https://sourceware.org/bugzilla/show_bug.cgi?id=24233
$ file oom2
oom2: ELF 64-bit LSB no file type, Intel K1OM,
objdump: warning: oom2 has a corrupt section with a size (80080000000c006c) larger than the file size
[...]
oom2:     file format elf64-k1om
oom2
architecture: k1om, flags 0x00000010:
HAS_SYMS
start address 0xf0ffffff03100000
objdump: warning: private headers incomplete: memory exhausted

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0               00000001  0000000000000000  0000000000000000  ffe90af8ff  2**45
                  CONTENTS, READONLY
  1               00000000  0000000000002200  0000000000002200  00000000  2**0
                  CONTENTS, READONLY
  2               ffffff7f00  0000000000000000  0000000000000000  deffffff00  2**48
                  CONTENTS, READONLY
SYMBOL TABLE:
no symbols

This looks good but upstream there appears to be controversy over the reproducibility
with asan.

Skipping searches for other POC.

Repeating some of the earlier utility tests.
$ strings /usr/bin/stellarium | grep GL | grep -v ANGLE | wc -l
344
$ objdump -f /bin/rustc

/bin/rustc:     file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x0000000000000a60

$ objdump -x /bin/pulseaudio

/bin/pulseaudio:     file format elf64-x86-64
/bin/pulseaudio
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000407870

Program Header:
    PHDR off    0x0000000000000040 vaddr 0x0000000000400040 paddr 0x0000000000400040 align 2**3
[...]
 24 .gnu_debuglink 00000018  0000000000000000  0000000000000000  00015070  2**2
                  CONTENTS, READONLY
 25 .gnu_debugdata 000005c4  0000000000000000  0000000000000000  00015088  2**0
                  CONTENTS, READONLY
SYMBOL TABLE:
no symbols

$ readelf -hl /bin/ruby
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
[...]
   04     .dynamic 
   05     .note.ABI-tag .note.gnu.build-id 
   06     .eh_frame_hdr 
   07     
   08     .init_array .fini_array .jcr .dynamic .got 

$ nm -A -a -l -S -s --special-syms --synthetic -D /bin/cinnamon
/bin/cinnamon:                 U atk_bridge_adaptor_init
/bin/cinnamon:0000000000401160 T atk_bridge_adaptor_init@plt
/bin/cinnamon:                 U bindtextdomain
/bin/cinnamon:                 U bind_textdomain_codeset
/bin/cinnamon:0000000000401280 T bind_textdomain_codeset@plt
[...]

OK for 64-bits

Whiteboard: (none) => MGA6-64-OK

Comment 42 Thomas Andrews 2019-05-07 20:38:34 CEST
Validating once more on the strength of Len's tests.

But it still needs an advisory...

Keywords: (none) => validated_update

Comment 43 Thomas Backlund 2019-05-12 21:56:26 CEST
Insanely long Advisory, added to svn:

type: security
subject: Updated binutils packages fixes security vulnerabilities
CVE:
 - CVE-2014-9939
 - CVE-2016-4487
 - CVE-2016-4488
 - CVE-2016-4489
 - CVE-2016-4490
 - CVE-2016-4492
 - CVE-2016-4493
 - CVE-2016-6131
 - CVE-2017-6965
 - CVE-2017-6966
 - CVE-2017-6969
 - CVE-2017-7209
 - CVE-2017-7210
 - CVE-2017-7223
 - CVE-2017-7224
 - CVE-2017-7225
 - CVE-2017-7226
 - CVE-2017-7227
 - CVE-2017-7299
 - CVE-2017-7300
 - CVE-2017-7301
 - CVE-2017-7302
 - CVE-2017-7303
 - CVE-2017-7304
 - CVE-2017-7614
 - CVE-2017-8392
 - CVE-2017-8393
 - CVE-2017-8394
 - CVE-2017-8395
 - CVE-2017-8396
 - CVE-2017-8397
 - CVE-2017-8398
 - CVE-2017-8421
 - CVE-2017-9038
 - CVE-2017-9039
 - CVE-2017-9040
 - CVE-2017-9041
 - CVE-2017-9042
 - CVE-2017-9043
 - CVE-2017-9044
 - CVE-2017-9746
 - CVE-2017-9747
 - CVE-2017-9748
 - CVE-2017-9750
 - CVE-2017-9755
 - CVE-2017-9756
 - CVE-2017-9954
 - CVE-2017-9955
 - CVE-2017-12448
 - CVE-2017-12449
 - CVE-2017-12450
 - CVE-2017-12451
 - CVE-2017-12452
 - CVE-2017-12453
 - CVE-2017-12454
 - CVE-2017-12455
 - CVE-2017-12456
 - CVE-2017-12457
 - CVE-2017-12458
 - CVE-2017-12459
 - CVE-2017-12799
 - CVE-2017-13710
 - CVE-2017-13716
 - CVE-2017-13757
 - CVE-2017-14128
 - CVE-2017-14129
 - CVE-2017-14130
 - CVE-2017-14333
 - CVE-2017-14529
 - CVE-2017-14729
 - CVE-2017-14745
 - CVE-2017-14938
 - CVE-2017-14939
 - CVE-2017-14940
 - CVE-2017-14974
 - CVE-2017-15020
 - CVE-2017-15021
 - CVE-2017-15022
 - CVE-2017-15023
 - CVE-2017-15024
 - CVE-2017-15025
 - CVE-2017-15938
 - CVE-2017-15939
 - CVE-2018-6323
 - CVE-2018-6543
 - CVE-2018-6759
 - CVE-2018-6872
 - CVE-2018-7208
 - CVE-2018-7568
 - CVE-2018-7569
 - CVE-2018-7570
 - CVE-2018-7642
 - CVE-2018-7643
 - CVE-2018-8945
 - CVE-2018-10372
 - CVE-2018-10373
 - CVE-2018-10534
 - CVE-2018-10535
 - CVE-2018-18484
 - CVE-2018-18700
 - CVE-2019-9071
 - CVE-2019-9073
 - CVE-2019-9074
 - CVE-2019-9075
 - CVE-2019-9077
src:
  6:
   core:
     - binutils-2.32-1.1.mga6
description: |
  This update provides the latest stable binutils, currently version 2.32
  and fixes atleast the following security issues:

  ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when
  printing bad bytes in Intel Hex objects (CVE-2014-9939)

  Use-after-free vulnerability in libiberty allows remote attackers to cause
  a denial of service (segmentation fault and crash) via a crafted binary,
  related to "btypevec." (CVE-2016-4487)

  Use-after-free vulnerability in libiberty allows remote attackers to cause
  a denial of service (segmentation fault and crash) via a crafted binary,
  related to "ktypevec." (CVE-2016-4488)

  Integer overflow in the gnu_special function in libiberty allows remote
  attackers to cause a denial of service (segmentation fault and crash) via
  a crafted binary, related to the "demangling of virtual tables."
  (CVE-2016-4489)

  Integer overflow in cp-demangle.c in libiberty allows remote attackers to
  cause a denial of service (segmentation fault and crash) via a crafted
  binary, related to inconsistent use of the long and int types for lengths.
  (CVE-2016-4490)

  Buffer overflow in the do_type function in cplus-dem.c in libiberty allows
  remote attackers to cause a denial of service (segmentation fault and
  crash) via a crafted binary. (CVE-2016-4492)

  The demangle_template_value_parm and do_hpacc_template_literal functions
  in cplus-dem.c in libiberty allow remote attackers to cause a denial of
  service (out-of-bounds read and crash) via a crafted binary. 
  (CVE-2016-4493)

  The demangler in GNU Libiberty allows remote attackers to cause a denial
  of service (infinite loop, stack overflow, and crash) via a cycle in the
  references of remembered mangled types. (CVE-2016-6131)

  readelf in GNU Binutils 2.28 writes to illegal addresses while processing
  corrupt input files containing symbol-difference relocations, leading to
  a heap-based buffer overflow. (CVE-2017-6965)

  readelf in GNU Binutils 2.28 has a use-after-free (specifically
  read-after-free) error while processing multiple, relocated sections in an
  MSP430 binary. This is caused by mishandling of an invalid symbol index,
  and mishandling of state across invocations. (CVE-2017-6966)

  readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read
  while processing corrupt RL78 binaries. The vulnerability can trigger
  program crashes. It may lead to an information leak as well. (CVE-2017-6969)

  The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses
  a NULL pointer while reading section contents in a corrupt binary, leading
  to a program crash. (CVE-2017-7209)

  objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer
  over-reads (of size 1 and size 8) while handling corrupt STABS enum type
  strings in a crafted object file, leading to program crash. (CVE-2017-7210)

  GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer
  overflow (of size 1) while attempting to unget an EOF character from the
  input stream, potentially leading to a program crash. (CVE-2017-7223)

  The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable
  to an invalid write (of size 1) while disassembling a corrupt binary that
  contains an empty function name, leading to a program crash. (CVE-2017-7224)

  The find_nearest_line function in addr2line in GNU Binutils 2.28 does not
  handle the case where the main file name and the directory name are both
  empty, triggering a NULL pointer dereference and an invalid write, and
  leading to a program crash. (CVE-2017-7225)

  The pe_ILF_object_p function in the Binary File Descriptor (BFD) library
  (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a
  heap-based buffer over-read of size 4049 because it uses the strlen
  function instead of strnlen, leading to program crashes in several
  utilities such as addr2line, size, and strings. It could lead to
  information disclosure as well. (CVE-2017-7226)

  GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer
  overflow while processing a bogus input script, leading to a program
  crash. This relates to lack of '\0' termination of a name field in ldlex.l.
  (CVE-2017-7227)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, has an invalid read (of size 8) because the code to
  emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check
  the format of the input file before trying to read the ELF reloc section
  header. The vulnerability leads to a GNU linker (ld) program crash.
  (CVE-2017-7299)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h
  that is vulnerable to a heap-based buffer over-read (off-by-one) because
  of an incomplete check for invalid string offsets while loading symbols,
  leading to a GNU linker (ld) program crash. (CVE-2017-7300)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h
  that has an off-by-one vulnerability because it does not carefully check
  the string offset. The vulnerability could lead to a GNU linker (ld)
  program crash. (CVE-2017-7301)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that
  is vulnerable to an invalid read (of size 4) because of missing checks
  for relocs that could not be recognised. This vulnerability causes
  Binutils utilities like strip to crash. (CVE-2017-7302)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because
  of missing a check (in the find_link function) for null headers before
  attempting to match them. This vulnerability causes Binutils utilities
  like strip to crash. (CVE-2017-7303)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because
  of missing a check (in the copy_special_section_fields function) for an
  invalid sh_link field before attempting to follow it. This vulnerability
  causes Binutils utilities like strip to crash. (CVE-2017-7304)

  elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as
  distributed in GNU Binutils 2.28, has a "member access within null
  pointer" undefined behavior issue, which might allow remote attackers to
  cause a denial of service (application crash) or possibly have unspecified
  other impact via an "int main() {return 0;}" program. (CVE-2017-7614)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of
  missing a check to determine whether symbols are NULL in the 
  _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs
  that conduct an analysis of binary programs using the libbfd library,
  such as objdump, to crash. (CVE-2017-8392)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to a global buffer over-read error
  because of an assumption made by code that runs for objcopy and strip,
  that SHT_REL/SHR_RELA sections are always named starting with a 
  .rel/.rela prefix. This vulnerability causes programs that conduct an
  analysis of binary programs using the libbfd library, such as objcopy
  and strip, to crash. (CVE-2017-8393)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL
  pointer dereferencing of _bfd_elf_large_com_section. This vulnerability
  causes programs that conduct an analysis of binary programs using the
  libbfd library, such as objcopy, to crash. (CVE-2017-8394)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of
  missing a malloc() return-value check to see if memory had actually been
  allocated in the _bfd_generic_get_section_contents function. This
  vulnerability causes programs that conduct an analysis of binary programs
  using the libbfd library, such as objcopy, to crash. (CVE-2017-8395)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the
  existing reloc offset range tests didn't catch small negative offsets less
  than the size of the reloc field. This vulnerability causes programs that
  conduct an analysis of binary programs using the libbfd library, such as
  objdump, to crash. (CVE-2017-8396)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an
  invalid write of size 1 during processing of a corrupt binary containing
  reloc(s) with negative addresses. This vulnerability causes programs that
  conduct an analysis of binary programs using the libbfd library, such as
  objdump, to crash. (CVE-2017-8397)

  dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1
  during dumping of debug information from a corrupt binary. This
  vulnerability causes programs that conduct an analysis of binary programs,
  such as objdump and readelf, to crash. (CVE-2017-8398)

  The function coff_set_alignment_hook in coffcode.h in Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28,
  has a memory leak vulnerability which can cause memory exhaustion in
  objdump via a crafted PE file. Additional validation in
  dump_relocs_in_section in objdump.c can resolve this. (CVE-2017-8421)

  GNU Binutils 2.28 allows remote attackers to cause a denial of service
  (heap-based buffer over-read and application crash) via a crafted ELF file,
  related to the byte_get_little_endian function in elfcomm.c, the
  get_unwind_section_word function in readelf.c, and ARM unwind information
  that contains invalid word offsets. (CVE-2017-9038)

  GNU Binutils 2.28 allows remote attackers to cause a denial of service
  (memory consumption) via a crafted ELF file with many program headers,
  related to the get_program_headers function in readelf.c. (CVE-2017-9039)

  GNU Binutils 2017-04-03 allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash), related to the
  process_mips_specific function in readelf.c, via a crafted ELF file that
  triggers a large memory-allocation attempt. (CVE-2017-9040)

  GNU Binutils 2.28 allows remote attackers to cause a denial of service
  (heap-based buffer over-read and application crash) via a crafted ELF file,
  related to MIPS GOT mishandling in the process_mips_specific function in
  readelf.c. (CVE-2017-9041)

  readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type
  long" issue, which might allow remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact via a crafted
  ELF file. (CVE-2017-9042)

  readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large for
  type unsigned long" issue, which might allow remote attackers to cause a
  denial of service (application crash) or possibly have unspecified other
  impact via a crafted ELF file. (CVE-2017-9043)

  The print_symbol_for_build_attribute function in readelf.c in GNU Binutils
  2017-04-12 allows remote attackers to cause a denial of service (invalid
  read and SEGV) via a crafted ELF file. (CVE-2017-9044)

  The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows
  remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of rae insns printing for this
  file during "objdump -D" execution. (CVE-2017-9746)

  The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might
  allow remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of this file during
  "objdump -D" execution. (CVE-2017-9747)

  The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might
  allow remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of this file during
  "objdump -D" execution. (CVE-2017-9748)

  opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain
  scale arrays, which allows remote attackers to cause a denial of service
  (buffer overflow and application crash) or possibly have unspecified other
  impact via a crafted binary file, as demonstrated by mishandling of this
  file during "objdump -D" execution. (CVE-2017-9750)

  opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of
  registers for bnd mode, which allows remote attackers to cause a denial
  of service (buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted binary file, as demonstrated by
  mishandling of this file during "objdump -D" execution. (CVE-2017-9755)

  The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU
  Binutils 2.28 allows remote attackers to cause a denial of service
  (buffer overflow and application crash) or possibly have unspecified
  other impact via a crafted binary file, as demonstrated by mishandling
  of this file during "objdump -D" execution. (CVE-2017-9756)

  The getvalue function in tekhex.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote
  attackers to cause a denial of service (stack-based buffer over-read and
  application crash) via a crafted tekhex file, as demonstrated by
  mishandling within the nm program. (CVE-2017-9954)

  The get_build_id function in opncls.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote
  attackers to cause a denial of service (heap-based buffer over-read and
  application crash) via a crafted file in which a certain size field is
  larger than a corresponding data field, as demonstrated by mishandling
  within the objdump program. (CVE-2017-9955)

  The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier,
  allows remote attackers to cause a heap use after free and possibly achieve
  code execution via a crafted nested archive file. This issue occurs because
  incorrect functions are called during an attempt to release memory. The
  issue can be addressed by better input validation in the
  bfd_generic_archive_p function in bfd/archive.c. (CVE-2017-12448)

  The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
  and earlier, allows remote attackers to cause an out of bounds heap read
  via a crafted vms file. (CVE-2017-12449)

  The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
  and earlier, allows remote attackers to cause an out of bounds heap write
  and possibly achieve code execution via a crafted vms alpha file.
  (CVE-2017-12450)

  The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and
  bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka
  libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote
  attackers to cause an out of bounds stack read via a crafted COFF image
  file. (CVE-2017-12451)

  The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c
  in the Binary File Descriptor (BFD) library (aka libbfd), as distributed
  in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out
  of bounds heap read via a crafted mach-o file. (CVE-2017-12452)

  The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier,
  allows remote attackers to cause an out of bounds heap read via a crafted
  vms alpha file. (CVE-2017-12453)

  The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
  and earlier, allows remote attackers to cause an arbitrary memory read via
  a crafted vms alpha file. (CVE-2017-12454)

  The evax_bfd_print_emh function in vms-alpha.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
  and earlier, allows remote attackers to cause an out of bounds heap read
  via a crafted vms alpha file. (CVE-2017-12455)

  The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils
  2.29 and earlier allows remote attackers to cause an out of bounds heap
  read via a crafted binary file. (CVE-2017-12456)

  The bfd_make_section_with_flags function in section.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
  and earlier, allows remote attackers to cause a NULL dereference via a
  crafted file. (CVE-2017-12457)

  The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary
  File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
  2.29 and earlier, allows remote attackers to cause an out of bounds heap
  read via a crafted nlm file. (CVE-2017-12458)

  The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary
  File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
  2.29 and earlier, allows remote attackers to cause an out of bounds heap
  write and possibly achieve code execution via a crafted mach-o file.
  (CVE-2017-12459)

  The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote
  attackers to cause a denial of service (buffer overflow and application
  crash) or possibly have unspecified other impact via a crafted binary file.
  (CVE-2017-12799)

  The setup_group function in elf.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a group section that is too small. (CVE-2017-13710)

  The C++ symbol demangler routine in cplus-dem.c in libiberty, as
  distributed in GNU Binutils 2.29, allows remote attackers to cause a
  denial of service (excessive memory allocation and application crash) via
  a crafted file, as demonstrated by a call from the Binary File Descriptor
  (BFD) library (aka libbfd). (CVE-2017-13716)

  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
  GNU Binutils 2.29, does not validate the PLT section size, which allows
  remote attackers to cause a denial of service (heap-based buffer over-read
  and application crash) via a crafted ELF file, related to
  elf_i386_get_synthetic_symtab in elf32-i386.c and 
  elf_x86_64_get_synthetic_symtab in elf64-x86-64.c. (CVE-2017-13757)

  The decode_line_info function in dwarf2.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows
  remote attackers to cause a denial of service (read_1_byte heap-based
  buffer over-read and application crash) via a crafted ELF file.
  (CVE-2017-14128)

  The read_section function in dwarf2.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
  attackers to cause a denial of service (parse_comp_unit heap-based buffer
  over-read and application crash) via a crafted ELF file. (CVE-2017-14129)

  The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29,
  allows remote attackers to cause a denial of service 
  (_bfd_elf_attr_strdup heap-based buffer over-read and application crash)
  via a crafted ELF file. (CVE-2017-14130)

  The process_version_sections function in readelf.c in GNU Binutils 2.29
  allows attackers to cause a denial of service (Integer Overflow, and hang
  because of a time-consuming loop) or possibly have unspecified other impact
  via a crafted binary file with invalid values of ent.vn_next, during
  "readelf -a" execution. (CVE-2017-14333)

  The pe_print_idata function in peXXigen.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles
  HintName vector entries, which allows remote attackers to cause a denial
  of service (heap-based buffer over-read and application crash) via a
  crafted PE file, related to the bfd_getl16 function. (CVE-2017-14529)

  The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure
  a unique PLT entry for a symbol, which allows remote attackers to cause a
  denial of service (heap-based buffer overflow and application crash) or
  possibly have unspecified other impact via a crafted ELF file, related to
  elf32-i386.c and elf64-x86-64.c. (CVE-2017-14729)

  The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1
  value as a sorting count instead of an error flag, which allows remote
  attackers to cause a denial of service (integer overflow and application
  crash) or possibly have unspecified other impact via a crafted ELF file,
  related to elf32-i386.c and elf64-x86-64.c. (CVE-2017-14745)

  _bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
  attackers to cause a denial of service (excessive memory allocation and
  application crash) via a crafted ELF file. (CVE-2017-14938)

  decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library
  (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length
  calculation, which allows remote attackers to cause a denial of service
  (heap-based buffer over-read and application crash) via a crafted ELF
  file, related to read_1_byte. (CVE-2017-14939)

  scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a crafted ELF file. (CVE-2017-14940)

  The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the
  failure of a certain canonicalization step, which allows remote attackers
  to cause a denial of service (NULL pointer dereference and application
  crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
  (CVE-2017-14974)

  dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as
  distributed in GNU Binutils 2.29, mishandles pointers, which allows remote
  attackers to cause a denial of service (application crash) or possibly
  have unspecified other impact via a crafted ELF file, related to
  parse_die and parse_line_table, as demonstrated by a parse_die heap-based
  buffer over-read. (CVE-2017-15020)

  bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
  attackers to cause a denial of service (heap-based buffer over-read and
  application crash) via a crafted ELF file, related to bfd_getl32.
  (CVE-2017-15021)

  dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
  distributed in GNU Binutils 2.29, does not validate the DW_AT_name data
  type, which allows remote attackers to cause a denial of service
  (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and
  application crash) via a crafted ELF file, related to
  scan_unit_for_symbols and parse_comp_unit. (CVE-2017-15022)

  read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, does not
  properly validate the format count, which allows remote attackers to cause
  a denial of service (NULL pointer dereference and application crash) via a
  crafted ELF file, related to concat_filename. (CVE-2017-15023)

  find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
  attackers to cause a denial of service (infinite recursion and application
  crash) via a crafted ELF file. (CVE-2017-15024)

  decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library
  (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers
  to cause a denial of service (divide-by-zero error and application crash)
  via a crafted ELF file. (CVE-2017-15025)

  dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
  distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs
  in the case of a relocatable object file, which allows remote attackers to
  cause a denial of service (find_abstract_instance_name invalid memory read,
  segmentation fault, and application crash). (CVE-2017-15938)

  dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
  distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line
  file table, which allows remote attackers to cause a denial of service
  (NULL pointer dereference and application crash) via a crafted ELF file,
  related to concat_filename. NOTE: this issue is caused by an incomplete
  fix for CVE-2017-15023. (CVE-2017-15939)

  The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an
  unsigned integer overflow because bfd_size_type multiplication is not used.
  A crafted ELF file allows remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact.
  (CVE-2018-6323)

  In GNU Binutils 2.30, there's an integer overflow in the function
  load_specific_debug_section() in objdump.c, which results in malloc()
  with 0 size. A crafted ELF file allows remote attackers to cause a denial
  of service (application crash) or possibly have unspecified other impact.
  (CVE-2018-6543)

  The bfd_get_debug_link_info_1 function in opncls.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
  2.30, has an unchecked strnlen operation. Remote attackers could leverage
  this vulnerability to cause a denial of service (segmentation fault) via
  a crafted ELF file. (CVE-2018-6759)

  The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote
  attackers to cause a denial of service (out-of-bounds read and segmentation
  violation) via a note with a large alignment. (CVE-2018-6872)

  In the coff_pointerize_aux function in coffgen.c in the Binary File
  Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
  2.30, an index is not validated, which allows remote attackers to cause
  a denial of service (segmentation fault) or possibly have unspecified
  other impact via a crafted file, as demonstrated by objcopy of a COFF
  object. (CVE-2018-7208)

  The parse_die function in dwarf1.c in the Binary File Descriptor (BFD)
  library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote
  attackers to cause a denial of service (integer overflow and application
  crash) via an ELF file with corrupt dwarf1 debug information, as
  demonstrated by nm. (CVE-2018-7568)

  dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
  distributed in GNU Binutils 2.30, allows remote attackers to cause a
  denial of service (integer underflow or overflow, and application crash)
  via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.
  (CVE-2018-7569)

  The assign_file_positions_for_non_load_sections function in elf.c in the
  Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.30, allows remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via an ELF file with a RELRO
  segment that lacks a matching LOAD segment, as demonstrated by objcopy.
  (CVE-2018-7570)

  The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows
  remote attackers to cause a denial of service (aout_32_swap_std_reloc_out
  NULL pointer dereference and application crash) via a crafted ELF file,
  as demonstrated by objcopy. (CVE-2018-7642)

  The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows
  remote attackers to cause a denial of service (integer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  ELF file, as demonstrated by objdump. (CVE-2018-7643)

  The bfd_section_from_shdr function in elf.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows
  remote attackers to cause a denial of service (segmentation fault) via a
  large attribute section. (CVE-2018-8945)

  process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
  to cause a denial of service (heap-based buffer over-read and application
  crash) via a crafted binary file, as demonstrated by readelf.
  (CVE-2018-10372)

  concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
  (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers
  to cause a denial of service (NULL pointer dereference and application
  crash) via a crafted binary file, as demonstrated by nm-new.
  (CVE-2018-10373)

  The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
  Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.30, processes a negative Data Directory size with an unbounded
  loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
  that the address exceeds its own memory region, resulting in an
  out-of-bounds memory write, as demonstrated by objcopy copying private info
  with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
  (CVE-2018-10534)

  The ignore_section_sym function in elf.c in the Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not
  validate the output_section pointer in the case of a symtab entry with a
  "SECTION" type that has a "0" value, which allows remote attackers to
  cause a denial of service (NULL pointer dereference and application crash)
  via a crafted file, as demonstrated by objcopy. (CVE-2018-10535)

  An issue was discovered in cp-demangle.c in GNU libiberty, as distributed
  in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling
  functions provided by libiberty, and there is a stack consumption problem
  caused by recursive stack frames: cplus_demangle_type,
  d_bare_function_type, d_function_type. (CVE-2018-18484)

  An issue was discovered in cp-demangle.c in GNU libiberty, as distributed
  in GNU Binutils 2.31. There is a stack consumption vulnerability resulting
  from infinite recursion in the functions d_name(), d_encoding(), and
  d_local_name() in cp-demangle.c. Remote attackers could leverage this
  vulnerability to cause a denial-of-service via an ELF file, as
  demonstrated by nm. (CVE-2018-18700)

  An issue was discovered in GNU libiberty, as distributed in GNU Binutils
  2.32. It is a stack consumption issue in d_count_templates_scopes in
  cp-demangle.c after many recursive calls. (CVE-2019-9071)

  An issue was discovered in the Binary File Descriptor (BFD) library (aka
  libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive
  memory allocation in _bfd_elf_slurp_version_tables in elf.c.
  (CVE-2019-9073)

  An issue was discovered in the Binary File Descriptor (BFD) library (aka
  libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read
  leading to a SEGV in bfd_getl32 in libbfd.c, when called from
  pex64_get_runtime_function in pei-x86_64.c. (CVE-2019-9074)

  An issue was discovered in the Binary File Descriptor (BFD) library (aka
  libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer
  overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.
  (CVE-2019-9075)

  An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer
  overflow in process_mips_specific in readelf.c via a malformed MIPS option
  section. (CVE-2019-9077)

  For more information on the various security issues, read the referenced
  cve.mitre.org links.

  For more information about the other changes and additional features of
  binutils / gas / ld in this update, see the referenced sourceware.org
  NEWS links.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=18987
 - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=binutils/NEWS;hb=refs/tags/binutils-2_32
 - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=gas/NEWS;hb=refs/tags/binutils-2_32
 - https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=ld/NEWS;hb=refs/tags/binutils-2_32
 - https://lwn.net/Alerts/694764/
 - https://openwall.com/lists/oss-security/2017/03/16/8
 - https://openwall.com/lists/oss-security/2017/04/10/16
 - https://openwall.com/lists/oss-security/2017/05/18/7
 - https://openwall.com/lists/oss-security/2017/09/26/6
 - https://openwall.com/lists/oss-security/2017/09/30/1
 - https://openwall.com/lists/oss-security/2017/09/30/2
 - https://openwall.com/lists/oss-security/2017/09/30/3
 - https://openwall.com/lists/oss-security/2017/10/04/3
 - https://openwall.com/lists/oss-security/2017/10/04/6
 - https://openwall.com/lists/oss-security/2017/10/04/4
 - https://openwall.com/lists/oss-security/2017/10/04/5
 - https://openwall.com/lists/oss-security/2017/10/04/8
 - https://openwall.com/lists/oss-security/2017/10/04/7
 - https://openwall.com/lists/oss-security/2017/10/27/4
 - https://openwall.com/lists/oss-security/2017/10/27/3
 - https://lists.opensuse.org/opensuse-updates/2017-12/msg00008.html
 - https://lists.suse.com/pipermail/sle-security-updates/2018-October/004678.html
 - https://lists.suse.com/pipermail/sle-security-updates/2018-October/004683.html
 - https://lists.opensuse.org/opensuse-updates/2018-10/msg00104.html
 - https://lists.opensuse.org/opensuse-updates/2018-10/msg00133.html
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/37N6SA4WSBTFWAMPQXHSO7JRJQ6EIIO5/
 - https://bugzilla.redhat.com/show_bug.cgi?id=1645958

Keywords: (none) => advisory

Comment 44 Mageia Robot 2019-05-12 22:59:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0169.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.