Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635218 (CVE-2017-7209, CVE-2017-7210, CVE-2017-7223, CVE-2017-7224, CVE-2017-7225, CVE-2017-7227, CVE-2017-9743, CVE-2017-9746, CVE-2017-9749, CVE-2017-9750, CVE-2017-9751, CVE-2017-9755, CVE-2017-9756)

Summary: <sys-devel/binutils-2.29.1-r1: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-23 19:43:00 UTC
CVE-2017-9756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756):
  The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU
  Binutils 2.28 allows remote attackers to cause a denial of service (buffer
  overflow and application crash) or possibly have unspecified other impact
  via a crafted binary file, as demonstrated by mishandling of this file
  during "objdump -D" execution.

CVE-2017-9755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755):
  opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of
  registers for bnd mode, which allows remote attackers to cause a denial of
  service (buffer overflow and application crash) or possibly have unspecified
  other impact via a crafted binary file, as demonstrated by mishandling of
  this file during "objdump -D" execution.

CVE-2017-9751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751):
  opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro,
  which allows remote attackers to cause a denial of service (buffer overflow
  and application crash) or possibly have unspecified other impact via a
  crafted binary file, as demonstrated by mishandling of this file during
  "objdump -D" execution.

CVE-2017-9750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750):
  opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain
  scale arrays, which allows remote attackers to cause a denial of service
  (buffer overflow and application crash) or possibly have unspecified other
  impact via a crafted binary file, as demonstrated by mishandling of this
  file during "objdump -D" execution.

CVE-2017-9749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749):
  The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote
  attackers to cause a denial of service (buffer overflow and application
  crash) or possibly have unspecified other impact via a crafted binary file,
  as demonstrated by mishandling of this file during "objdump -D" execution.

CVE-2017-9746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746):
  The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows
  remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of rae insns printing for this
  file during "objdump -D" execution.

CVE-2017-9743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743):
  The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils
  2.28 allows remote attackers to cause a denial of service (buffer overflow
  and application crash) or possibly have unspecified other impact via a
  crafted binary file, as demonstrated by mishandling of this file during
  "objdump -D" execution.

CVE-2017-7227 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227):
  GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer
  overflow while processing a bogus input script, leading to a program crash.
  This relates to lack of '\0' termination of a name field in ldlex.l.

CVE-2017-7225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225):
  The find_nearest_line function in addr2line in GNU Binutils 2.28 does not
  handle the case where the main file name and the directory name are both
  empty, triggering a NULL pointer dereference and an invalid write, and
  leading to a program crash.

CVE-2017-7224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224):
  The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable
  to an invalid write (of size 1) while disassembling a corrupt binary that
  contains an empty function name, leading to a program crash.

CVE-2017-7223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223):
  GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow
  (of size 1) while attempting to unget an EOF character from the input
  stream, potentially leading to a program crash.

CVE-2017-7210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210):
  objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer
  over-reads (of size 1 and size 8) while handling corrupt STABS enum type
  strings in a crafted object file, leading to program crash.

CVE-2017-7209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209):
  The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses
  a NULL pointer while reading section contents in a corrupt binary, leading
  to a program crash.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 19:47:07 UTC
@Maintainers could you please confirm if those CVEs are solved in 2.29?

Thank you
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-11-17 21:52:46 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2017-9756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756):
>   The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU
>   Binutils 2.28 allows remote attackers to cause a denial of service (buffer
>   overflow and application crash) or possibly have unspecified other impact
>   via a crafted binary file, as demonstrated by mishandling of this file
>   during "objdump -D" execution.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-9755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755):
>   opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of
>   registers for bnd mode, which allows remote attackers to cause a denial of
>   service (buffer overflow and application crash) or possibly have
> unspecified
>   other impact via a crafted binary file, as demonstrated by mishandling of
>   this file during "objdump -D" execution.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-9751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751):
>   opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE
> macro,
>   which allows remote attackers to cause a denial of service (buffer overflow
>   and application crash) or possibly have unspecified other impact via a
>   crafted binary file, as demonstrated by mishandling of this file during
>   "objdump -D" execution.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-9750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750):
>   opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain
>   scale arrays, which allows remote attackers to cause a denial of service
>   (buffer overflow and application crash) or possibly have unspecified other
>   impact via a crafted binary file, as demonstrated by mishandling of this
>   file during "objdump -D" execution.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-9749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749):
>   The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote
>   attackers to cause a denial of service (buffer overflow and application
>   crash) or possibly have unspecified other impact via a crafted binary file,
>   as demonstrated by mishandling of this file during "objdump -D" execution.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-9746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746):
>   The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows
>   remote attackers to cause a denial of service (buffer overflow and
>   application crash) or possibly have unspecified other impact via a crafted
>   binary file, as demonstrated by mishandling of rae insns printing for this
>   file during "objdump -D" execution.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-9743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743):
>   The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils
>   2.28 allows remote attackers to cause a denial of service (buffer overflow
>   and application crash) or possibly have unspecified other impact via a
>   crafted binary file, as demonstrated by mishandling of this file during
>   "objdump -D" execution.

This one noone could reproduce, not even the original submitter. So probably invalid.

> 
> CVE-2017-7227 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227):
>   GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer
>   overflow while processing a bogus input script, leading to a program crash.
>   This relates to lack of '\0' termination of a name field in ldlex.l.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-7225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225):
>   The find_nearest_line function in addr2line in GNU Binutils 2.28 does not
>   handle the case where the main file name and the directory name are both
>   empty, triggering a NULL pointer dereference and an invalid write, and
>   leading to a program crash.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-7224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224):
>   The find_nearest_line function in objdump in GNU Binutils 2.28 is
> vulnerable
>   to an invalid write (of size 1) while disassembling a corrupt binary that
>   contains an empty function name, leading to a program crash.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-7223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223):
>   GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer
> overflow
>   (of size 1) while attempting to unget an EOF character from the input
>   stream, potentially leading to a program crash.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-7210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210):
>   objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer
>   over-reads (of size 1 and size 8) while handling corrupt STABS enum type
>   strings in a crafted object file, leading to program crash.

Fixed in sys-devel/binutils-2.29.1-r1

> 
> CVE-2017-7209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209):
>   The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses
>   a NULL pointer while reading section contents in a corrupt binary, leading
>   to a program crash.


Fixed in sys-devel/binutils-2.29.1-r1
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-12-27 22:49:27 UTC
All affected versions are masked. No further cleanup (toolchain package). 

Nothing to do for toolchain here anymore. Please proceed.
Comment 4 D'juan McDonald (domhnall) 2018-01-05 06:48:21 UTC
Added to existing GLSA request.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:12:31 UTC
This issue was resolved and addressed in
 GLSA 201801-01 at https://security.gentoo.org/glsa/201801-01
by GLSA coordinator Aaron Bauman (b-man).