Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635692 (CVE-2017-15023, CVE-2017-15938, CVE-2017-15939) - <sys-devel/binutils-2.29.1-r1: Multiple Denial of Service Bugs
Summary: <sys-devel/binutils-2.29.1-r1: Multiple Denial of Service Bugs
Status: RESOLVED FIXED
Alias: CVE-2017-15023, CVE-2017-15938, CVE-2017-15939
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-28 15:37 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-01-07 23:12 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-28 15:37:04 UTC
CVE-2017-15938 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15938):

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash). 

References:

https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/
https://sourceware.org/bugzilla/show_bug.cgi?id=22209
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a

CVE-2017-15023 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15023):

read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. 

References:

https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/
https://sourceware.org/bugzilla/show_bug.cgi?id=22200
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf

CVE-2017-15939 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15939):

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023. 

References:

https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/
https://sourceware.org/bugzilla/show_bug.cgi?id=22205
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9
Comment 1 Andreas K. Hüttel gentoo-dev 2017-11-17 22:04:29 UTC
(In reply to Aleksandr Wagner (Kivak) from comment #0)
> CVE-2017-15938
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15938):
> 
> dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
> distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in
> the case of a relocatable object file, which allows remote attackers to
> cause a denial of service (find_abstract_instance_name invalid memory read,
> segmentation fault, and application crash). 
> 
> References:
> 
> https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-
> find_abstract_instance_name-dwarf2-c/
> https://sourceware.org/bugzilla/show_bug.cgi?id=22209
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=1b86808a86077722ee4f42ff97f836b12420bb2a

Will be in 2.30; in master branch. Backport not trivial.

> 
> CVE-2017-15023
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15023):
> 
> read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD)
> library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly
> validate the format count, which allows remote attackers to cause a denial
> of service (NULL pointer dereference and application crash) via a crafted
> ELF file, related to concat_filename. 
> 
> References:
> 
> https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-
> concat_filename-dwarf2-c/
> https://sourceware.org/bugzilla/show_bug.cgi?id=22200
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=c361faae8d964db951b7100cada4dcdc983df1bf

Will be in 2.30; in master branch. Backported to gentoo/binutils-2.29 branch.

> 
> CVE-2017-15939
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15939):
> 
> dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
> distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line
> file table, which allows remote attackers to cause a denial of service (NULL
> pointer dereference and application crash) via a crafted ELF file, related
> to concat_filename. NOTE: this issue is caused by an incomplete fix for
> CVE-2017-15023. 
> 
> References:
> 
> https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-
> concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/
> https://sourceware.org/bugzilla/show_bug.cgi?id=22205
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=a54018b72d75abf2e74bf36016702da06399c1d9

Will be in 2.30; in master branch. Backported to gentoo/binutils-2.29 branch.
Comment 2 Andreas K. Hüttel gentoo-dev 2017-12-27 22:57:05 UTC
All affected versions are masked. No further cleanup (toolchain package). 

Nothing to do for toolchain here anymore. Please proceed.
Comment 3 D'juan McDonald (domhnall) 2018-01-05 06:48:51 UTC
Added to existing GLSA request.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:12:39 UTC
This issue was resolved and addressed in
 GLSA 201801-01 at https://security.gentoo.org/glsa/201801-01
by GLSA coordinator Aaron Bauman (b-man).