Bug 25298 - binutils new security issues CVE-2019-14250, CVE-2019-17450, CVE-2019-17451, CVE-2019-1010204
Summary: binutils new security issues CVE-2019-14250, CVE-2019-17450, CVE-2019-17451, ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK MGA7-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-12 21:03 CEST by David Walser
Modified: 2020-03-06 17:15 CET (History)
4 users (show)

See Also:
Source RPM: binutils-2.32-14.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-12 21:03:20 CEST
RedHat has issued an advisory on August 6:
https://access.redhat.com/errata/RHSA-2019:2075
David Walser 2019-08-12 21:03:26 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 David Walser 2019-12-03 18:47:17 CET
openSUSE has issued an advisory on October 22:
https://lists.opensuse.org/opensuse-updates/2019-10/msg00136.html

The fix was supposed to have been included in 2.33, so Cauldron shouldn't be affected.

Summary: binutils new security issues CVE-2018-12641, CVE-2018-12697, CVE-2018-1000876 => binutils new security issues CVE-2018-12641, CVE-2018-12697, CVE-2018-1000876, CVE-2019-14250

Comment 2 David Walser 2019-12-03 19:06:09 CET
Not sure if our Mageia 7 update had all of these fixes:
https://lists.opensuse.org/opensuse-updates/2019-10/msg00183.html
Comment 3 Thomas Backlund 2019-12-03 23:07:48 CET
Will try to check this weekend

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

David Walser 2020-01-14 17:59:53 CET

Status comment: (none) => Fixed upstream in 2.33

David Walser 2020-01-14 18:00:13 CET

Status comment: Fixed upstream in 2.33 => (none)

Comment 4 David Walser 2020-02-01 17:05:55 CET
Perhaps binutils 2.34 has all of the fixes.
Comment 5 Thomas Backlund 2020-02-01 19:42:58 CET
Yeah, I do plan to push binutils 2.34 soon-ish as it also contains the mitigations for the slowdowns caused by the Intel JCC security fixes last year...
Comment 6 Thomas Backlund 2020-02-04 00:29:25 CET
Ok, sadly 2.34 is a no-go.

it broke  ABI/API for libopcodes and libbfd (and that kills perf and bpftool and afaik gdb, so that's that...)

And upstream says: "binutils doesn't have any comitment to a stable ABI/API for libopcodes and libbfd.", so the breakage wont be fixed as they consider the usage as (ab)using internal headers...

So I will roll up to the stable 2.33 + the missing security fixes, and we'll stay with that for Mga7 lifetime...
Comment 7 Thomas Backlund 2020-02-04 00:29:58 CET
Anyway, Cauldron is fixed with 2.34

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 8 Thomas Backlund 2020-02-25 14:02:57 CET
CVE-2018-12641, CVE-2018-12697 and CVE-2018-1000876 was fixed before binutils 2.32 release that we have in mga7

Summary: binutils new security issues CVE-2018-12641, CVE-2018-12697, CVE-2018-1000876, CVE-2019-14250 => binutils new security issues CVE-2019-14250

Comment 9 David Walser 2020-02-25 14:20:27 CET
What about the issues in Comment 2?  It looks like they had to update from 2.32 release to the 2.32 branch to get all of those fixes.
Comment 10 Thomas Backlund 2020-02-25 15:04:23 CET
binutils 2.33 fixed CVE-2019-14250

I've added fixes for CVE-2019-17450, CVE-2019-17451, CVE-2019-1010204 on top of upstream 2.33.1 + branch fixes so we should have all currently known security issues covered.

There is now a binutils-2.33.1-1.mga7 building

Summary: binutils new security issues CVE-2019-14250 => binutils new security issues CVE-2019-14250, CVE-2019-17450, CVE-2019-17451, CVE-2019-1010204

Comment 11 Thomas Backlund 2020-02-25 15:44:53 CET

So that is:

SRPM:
binutils-2.33.1-1.mga7.src.rpm

i586:
binutils-2.33.1-1.mga7.i586.rpm
libbinutils-devel-2.33.1-1.mga7.i586.rpm

x86_64:
binutils-2.33.1-1.mga7.x86_64.rpm
lib64binutils-devel-2.33.1-1.mga7.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 12 Len Lawrence 2020-02-26 16:11:35 CET
mga7, x86_64

Tested binutils-2.32-14

CVE-2019-17450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17450
https://sourceware.org/bugzilla/show_bug.cgi?id=25078
$ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance
nm: warning: poc6_stack-overflow_find_abstract_instance has a corrupt section with a size (fffffffffffff46c) larger than the file size
poc6_stack-overflow_find_abstract_instance:                 U __cxa_begin_catch@CXXABI_1.3nm: poc6_stack-overflow_find_abstract_instance: attempt to load strings from a non-string section (number 36)
[...]
poc6_stack-overflow_find_abstract_instance:                 w __gmon_start__
Segmentation fault (core dumped)

CVE-2019-17451
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17451
https://sourceware.org/bugzilla/show_bug.cgi?id=25070
$ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line
nm: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size
[...]
Segmentation fault (core dumped)

CVE-2019-1010204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204
https://sourceware.org/bugzilla/show_bug.cgi?id=23765
The PoC file is testcase.o but the suggestion is to run it with a package called gold which we do not have.

Updated the two packages and tested the PoC again.

CVE-2019-17450
$ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc6_stack-overflow_find_abstract_instance
nm: warning: poc6_stack-overflow_find_abstract_instance has a corrupt section with a size (fffffffffffff46c) larger than the file size
[...]

This completes without crashing.

CVE-2019-17451
$ nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D poc1_segv__bfd_dwarf2_find_nearest_line
nm: warning: poc1_segv__bfd_dwarf2_find_nearest_line has a corrupt section with a size (1e0000000008) larger than the file size
[...]

This also exits cleanly, without the segfault.

Running some quick tests on the utilities:

$ objdump -f /bin/cargo
/bin/cargo:     file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x0000000000064c20

$ objdump -x /bin/pulseaudio

/bin/pulseaudio:     file format elf64-x86-64
/bin/pulseaudio
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000408030
Program Header:
    PHDR off    0x0000000000000040 vaddr 0x0000000000400040 paddr 0x000000000040
[...]

$ readelf -hl /bin/python3
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
[...]
   07     .note.gnu.build-id .note.ABI-tag 
   08     .eh_frame_hdr 
   09     
   10     .init_array .fini_array .dynamic .got 

$ nm -A -a -l -S -s --special-syms --synthetic -D /bin/stellarium
/bin/stellarium:                 U acos
/bin/stellarium:                 U acosf
/bin/stellarium:00000000005810f0 T acosf@plt
/bin/stellarium:0000000000585d30 T acos@plt
/bin/stellarium:0000000000cc2050 0000000000000045 T addXMLAtt
[...]
/bin/stellarium:00000000010f9b60 0000000000000198 u _ZZZN18APIServiceResponse16writeWrappedHTMLERK7QStringS2_ENKUlvE_clEvE15qstring_literal

$ strings /bin/lua | grep -i luaL
luaL_openlib
luaL_where
luaL_traceback
luaL_pushresultsize
[...]
luaL_buffinit
luaL_requiref

This looks OK for 64-bits.
This should maybe be tested for 32-bits - maybe in a VM.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 13 Thomas Backlund 2020-02-26 20:21:16 CET
(In reply to Len Lawrence from comment #12)
> mga7, x86_64
> 
> Tested binutils-2.32-14
> 

> 
> CVE-2019-1010204
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204
> https://sourceware.org/bugzilla/show_bug.cgi?id=23765
> The PoC file is testcase.o but the suggestion is to run it with a package
> called gold which we do not have.

There is 2 linkers in binutils, the standard bfd linker and the "supposedly better" gold linker.

they are called ld.bfd (and this is also the same as "ld") and the ld.gold so both can be accessible depending on need.

I've tested the poc with ld.gold and get a segfault with old binutils, and with new binutils it copes with it without crash:

ld.gold testcase.o 
ld.gold: error: testcase.o: bad e_ehsize (0 != 64)
ld.gold: error: testcase.o: bad e_shentsize (0 != 64)
ld.gold: fatal error: testcase.o: read failed, starting offset (0xbada55c0de0fe000) less than zero

CC: (none) => tmb

Comment 14 Len Lawrence 2020-02-26 23:42:47 CET
@tmb, comment 13.
Thanks for the clarification Thomas, and for the tests.
Comment 15 Thomas Andrews 2020-03-01 16:18:19 CET
Tested on my Dell Inspiron 5100, running a 32-bit Xfce system on a 32-bit P4.

Package installed cleanly. Used copy-and-paste to run several of the commands from Comment 12. I had to change some of the file names because some did not exist on this system, but that was the only reason for a failure.

Should be enough of a test for 32-bits. Giving it the OK, and validating.

Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 14:58:16 CET

Keywords: (none) => advisory

Comment 16 Mageia Robot 2020-03-06 17:15:29 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0112.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.