RedHat has issued an advisory on August 6: https://access.redhat.com/errata/RHSA-2019:2075
Whiteboard: (none) => MGA7TOO, MGA6TOO
openSUSE has issued an advisory on October 22: https://lists.opensuse.org/opensuse-updates/2019-10/msg00136.html The fix was supposed to have been included in 2.33, so Cauldron shouldn't be affected.
Summary: binutils new security issues CVE-2018-12641, CVE-2018-12697, CVE-2018-1000876 => binutils new security issues CVE-2018-12641, CVE-2018-12697, CVE-2018-1000876, CVE-2019-14250
Not sure if our Mageia 7 update had all of these fixes: https://lists.opensuse.org/opensuse-updates/2019-10/msg00183.html
Will try to check this weekend
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Status comment: (none) => Fixed upstream in 2.33
Status comment: Fixed upstream in 2.33 => (none)
Perhaps binutils 2.34 has all of the fixes.
Yeah, I do plan to push binutils 2.34 soon-ish as it also contains the mitigations for the slowdowns caused by the Intel JCC security fixes last year...
Ok, sadly 2.34 is a no-go. it broke ABI/API for libopcodes and libbfd (and that kills perf and bpftool and afaik gdb, so that's that...) And upstream says: "binutils doesn't have any comitment to a stable ABI/API for libopcodes and libbfd.", so the breakage wont be fixed as they consider the usage as (ab)using internal headers... So I will roll up to the stable 2.33 + the missing security fixes, and we'll stay with that for Mga7 lifetime...
Anyway, Cauldron is fixed with 2.34
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
CVE-2018-12641, CVE-2018-12697 and CVE-2018-1000876 was fixed before binutils 2.32 release that we have in mga7
Summary: binutils new security issues CVE-2018-12641, CVE-2018-12697, CVE-2018-1000876, CVE-2019-14250 => binutils new security issues CVE-2019-14250
What about the issues in Comment 2? It looks like they had to update from 2.32 release to the 2.32 branch to get all of those fixes.
binutils 2.33 fixed CVE-2019-14250 I've added fixes for CVE-2019-17450, CVE-2019-17451, CVE-2019-1010204 on top of upstream 2.33.1 + branch fixes so we should have all currently known security issues covered. There is now a binutils-2.33.1-1.mga7 building
Summary: binutils new security issues CVE-2019-14250 => binutils new security issues CVE-2019-14250, CVE-2019-17450, CVE-2019-17451, CVE-2019-1010204
So that is: SRPM: binutils-2.33.1-1.mga7.src.rpm i586: binutils-2.33.1-1.mga7.i586.rpm libbinutils-devel-2.33.1-1.mga7.i586.rpm x86_64: binutils-2.33.1-1.mga7.x86_64.rpm lib64binutils-devel-2.33.1-1.mga7.x86_64.rpm
Assignee: tmb => qa-bugs
mga7, x86_64 Tested binutils-2.32-14 CVE-2019-17450 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17450 https://sourceware.org/bugzilla/show_bug.cgi?id=25078 $ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance nm: warning: poc6_stack-overflow_find_abstract_instance has a corrupt section with a size (fffffffffffff46c) larger than the file size poc6_stack-overflow_find_abstract_instance: U __cxa_begin_catch@CXXABI_1.3nm: poc6_stack-overflow_find_abstract_instance: attempt to load strings from a non-string section (number 36) [...] poc6_stack-overflow_find_abstract_instance: w __gmon_start__ Segmentation fault (core dumped) CVE-2019-17451 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17451 https://sourceware.org/bugzilla/show_bug.cgi?id=25070 $ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line nm: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size [...] Segmentation fault (core dumped) CVE-2019-1010204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204 https://sourceware.org/bugzilla/show_bug.cgi?id=23765 The PoC file is testcase.o but the suggestion is to run it with a package called gold which we do not have. Updated the two packages and tested the PoC again. CVE-2019-17450 $ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance nm: warning: poc6_stack-overflow_find_abstract_instance has a corrupt section with a size (fffffffffffff46c) larger than the file size [...] This completes without crashing. CVE-2019-17451 $ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line nm: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size [...] This also exits cleanly, without the segfault. Running some quick tests on the utilities: $ objdump -f /bin/cargo /bin/cargo: file format elf64-x86-64 architecture: i386:x86-64, flags 0x00000150: HAS_SYMS, DYNAMIC, D_PAGED start address 0x0000000000064c20 $ objdump -x /bin/pulseaudio /bin/pulseaudio: file format elf64-x86-64 /bin/pulseaudio architecture: i386:x86-64, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x0000000000408030 Program Header: PHDR off 0x0000000000000040 vaddr 0x0000000000400040 paddr 0x000000000040 [...] $ readelf -hl /bin/python3 ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 [...] 07 .note.gnu.build-id .note.ABI-tag 08 .eh_frame_hdr 09 10 .init_array .fini_array .dynamic .got $ nm -A -a -l -S -s --special-syms --synthetic -D /bin/stellarium /bin/stellarium: U acos /bin/stellarium: U acosf /bin/stellarium:00000000005810f0 T acosf@plt /bin/stellarium:0000000000585d30 T acos@plt /bin/stellarium:0000000000cc2050 0000000000000045 T addXMLAtt [...] /bin/stellarium:00000000010f9b60 0000000000000198 u _ZZZN18APIServiceResponse16writeWrappedHTMLERK7QStringS2_ENKUlvE_clEvE15qstring_literal $ strings /bin/lua | grep -i luaL luaL_openlib luaL_where luaL_traceback luaL_pushresultsize [...] luaL_buffinit luaL_requiref This looks OK for 64-bits. This should maybe be tested for 32-bits - maybe in a VM.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
(In reply to Len Lawrence from comment #12) > mga7, x86_64 > > Tested binutils-2.32-14 > > > CVE-2019-1010204 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204 > https://sourceware.org/bugzilla/show_bug.cgi?id=23765 > The PoC file is testcase.o but the suggestion is to run it with a package > called gold which we do not have. There is 2 linkers in binutils, the standard bfd linker and the "supposedly better" gold linker. they are called ld.bfd (and this is also the same as "ld") and the ld.gold so both can be accessible depending on need. I've tested the poc with ld.gold and get a segfault with old binutils, and with new binutils it copes with it without crash: ld.gold testcase.o ld.gold: error: testcase.o: bad e_ehsize (0 != 64) ld.gold: error: testcase.o: bad e_shentsize (0 != 64) ld.gold: fatal error: testcase.o: read failed, starting offset (0xbada55c0de0fe000) less than zero
CC: (none) => tmb
@tmb, comment 13. Thanks for the clarification Thomas, and for the tests.
Tested on my Dell Inspiron 5100, running a 32-bit Xfce system on a 32-bit P4. Package installed cleanly. Used copy-and-paste to run several of the commands from Comment 12. I had to change some of the file names because some did not exist on this system, but that was the only reason for a failure. Should be enough of a test for 32-bits. Giving it the OK, and validating.
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0112.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed: CVE-2019-12972 CVE-2019-14444 CVE-2019-9074 CVE-2019-9075 CVE-2019-9077 https://lists.suse.com/pipermail/sle-security-updates/2020-October/007650.html