Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 903893 (CVE-2022-4285, CVE-2023-1579)

Summary: <sys-devel/binutils-2.40: heap buffer overflow in bfd_getl64
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=29699
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 909412    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-06 03:47:53 UTC
CVE-2023-1579 (https://sourceware.org/bugzilla/show_bug.cgi?id=29988):

Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64.

Doesn't seem to be backported.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 19:10:14 UTC
CVE-2022-4285:

An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.

Patch is in 2.40: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70
Comment 2 Larry the Git Cow gentoo-dev 2023-08-20 21:20:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b58a88f1c08436f49f259e35e261b0d116508859

commit b58a88f1c08436f49f259e35e261b0d116508859
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2023-08-20 21:19:59 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2023-08-20 21:19:59 +0000

    package.mask: extend binutils mask, bug 903893
    
    Bug: https://bugs.gentoo.org/903893
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2023-08-20 21:21:30 UTC
All affected packages masked. 
No cleanup (toolchain).

Nothing left to be done by toolchain.
Comment 4 Larry the Git Cow gentoo-dev 2023-09-30 07:44:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=14d1caba8122b70c39357e14ad41c672cd2cd81d

commit 14d1caba8122b70c39357e14ad41c672cd2cd81d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-30 07:43:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-30 07:44:23 +0000

    [ GLSA 202309-15 ] GNU Binutils: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/866713
    Bug: https://bugs.gentoo.org/867937
    Bug: https://bugs.gentoo.org/903893
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-15.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)