Bug 34053 - binutils new security issues CVE-2024-57360 and CVE-2025-0840
Summary: binutils new security issues CVE-2024-57360 and CVE-2025-0840
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-02-27 16:19 CET by Nicolas Salguero
Modified: 2025-03-02 08:19 CET (History)
3 users (show)

See Also:
Source RPM: binutils-2.40-11.mga9.src.rpm
CVE: CVE-2024-57360, CVE-2025-0840
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-27 16:19:06 CET 
Ubuntu has issued an advisory on February 26:
https://ubuntu.com/security/notices/USN-7306-1
Comment 1 Nicolas Salguero 2025-02-27 16:21:02 CET 
Upstream fixes:
  - CVE-2024-57360: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5f8987d3999edb26e757115fe87be55787d510b9
  - CVE-2025-0840: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patches available from upstream and Ubuntu
CVE: (none) => CVE-2024-57360, CVE-2025-0840
Source RPM: (none) => binutils-2.43.1-2.mga10.src.rpm, binutils-2.40-11.mga9.src.rpm

Nicolas Salguero 2025-02-27 17:19:36 CET

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2025-02-28 08:58:08 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

nm >=2.43 is affected by: Incorrect Access Control. The type of exploitation is: local. The component is: `nm --without-symbol-version` function. (CVE-2024-57360)

GNU Binutils objdump.c disassemble_bytes stack-based overflow. (CVE-2025-0840)

References:
https://ubuntu.com/security/notices/USN-7306-1
========================

Updated packages in core/updates_testing:
========================
binutils-2.40-11.1.mga9
lib(64)binutils-devel-2.40-11.1.mga9

from SRPM:
binutils-2.40-11.1.mga9.src.rpm

Source RPM: binutils-2.43.1-2.mga10.src.rpm, binutils-2.40-11.mga9.src.rpm => binutils-2.40-11.mga9.src.rpm
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Patches available from upstream and Ubuntu => (none)
Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2025-02-28 16:24:13 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 31092 for testing:
$ objdump -x /bin/pulseaudio

/bin/pulseaudio:     file format elf64-x86-64
/bin/pulseaudio
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000407160

Program Header:
etc......

$ objdump -f /bin/gcc

/bin/gcc:     file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000405ec0


$ readelf -hl /bin/python
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
etc ....

$ strings /bin/lua | grep -i luaL
luaL_checkstack
luaL_loadfilex
luaL_error
luaL_checkversion_
luaL_len
luaL_newstate
luaL_tolstring
luaL_callmeta
luaL_loadbufferx
luaL_traceback
luaL_openlibs

Looks all OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2025-02-28 18:30:18 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2025-03-01 16:19:06 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-03-02 08:19:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0084.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.