| Summary: | <sys-devel/binutils-2.25: invalid read flaw in libbfd (CVE-2014-{8484,8485,8501,8502,8503,8504,8737,8738}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | hanno, toolchain |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f | ||
| See Also: |
https://bugzilla.redhat.com/show_bug.cgi?id=1156272 https://sourceware.org/bugzilla/show_bug.cgi?id=17509 |
||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
See also: https://sourceware.org/bugzilla/show_bug.cgi?id=17509 That bug affects both 2.23.2 and 2.24-r3. the fix is already in 2.24.90 and will be in 2.25 final when it's released. i don't see a need to stabilize/backport here though. binutils is known to be not resilient to bad inputs, so anyone using their tools/libs in security sensitive areas are doing it wrong already. *** Bug 527616 has been marked as a duplicate of this bug. *** *** Bug 528984 has been marked as a duplicate of this bug. *** CVE-2014-8737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8737): Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar. CVE-2014-8504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8504): Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file. CVE-2014-8503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8503): Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file. CVE-2014-8502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8502): Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file. CVE-2014-8501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8501): The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable. CVE-2014-8485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8485): The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file. CVE-2014-8484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8484): The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record. 2.25 is in the tree now, but i don't see it being fast tracked stable-wise (In reply to SpanKY from comment #6) > 2.25 is in the tree now, but i don't see it being fast tracked stable-wise Thanks for adding it to tree. Please call for stabilization when you consider it appropriate. Do you expect any issues when stabilizing/updating? if so, do we have a tracker bug for issues we can make a blocker for this bug? CVE-2014-8738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8738): The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive. vapier: this has been in the tree for a while now. Can we go on with 2.25 stabilization? I don't see any 2.25 specific bugs right now. If there are blockers can you mark them to block this bug? Adjusting summary: Gentoo repository never had v2.24.90 so the first version containing the fix which landed in the repository was =sys-devel/binutils-2.25. =sys-devel/binutils-2.25.1-r1 is the current stable version in the repository. New GLSA created. Added CVE status based on comment #5. @ Maintainer(s): Please cleanup <sys-devel/binutils-2.25. If you don't want to remove previous version please apply masks indicating a security problem. This issue was resolved and addressed in GLSA 201612-24 at https://security.gentoo.org/glsa/201612-24 by GLSA coordinator Aaron Bauman (b-man). @maintainer(s), reopening for cleanup. tree is clean. |
From ${URL} : Michal Zalewski reported an invalid read flaw in libbfd, used by, for example, the "strings" utility. Running "strings" on a malicious file could cause "strings" to crash: http://seclists.org/oss-sec/2014/q4/424 It is unclear yet if it is possible to leverage this issue for more than a crash. Dave Rutherford noted on oss-security that using certain web browsers to save a malicious file could trigger this issue and cause the browser to crash: http://seclists.org/oss-sec/2014/q4/426 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.