Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 866713 (CVE-2022-38128, CVE-2022-38533)

Summary: sys-devel/binutils: heap buffer overflow
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=29482
Whiteboard: A3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 15:46:13 UTC
CVE-2022-38533:

In GNU Binutils before 2.4.0, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.

It obviously means 2.40.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 00:05:30 UTC
CVE-2022-38128 (https://sourceware.org/bugzilla/show_bug.cgi?id=29370):

An infinite loop may be triggered in display_debug_abbrev() function in binutils/dwarf.c while opening a crafted ELF, which may lead to denial of service by a local attacker.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2022-11-06 22:24:20 UTC
Fixed for 2.40, backport nontrivial