Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 764170 (CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-2020-35507) - <sys-devel/binutils-2.34: multiple vulnerabilities (CVE-2020-{35493,35494,35495,35496,35507})
Summary: <sys-devel/binutils-2.34: multiple vulnerabilities (CVE-2020-{35493,35494,354...
Status: RESOLVED FIXED
Alias: CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-2020-35507
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-06 20:08 UTC by John Helmert III
Modified: 2021-07-10 02:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-01-06 20:08:56 UTC
CVE-2020-35493 (https://sourceware.org/bugzilla/show_bug.cgi?id=25307A):

A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34.

Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2a3559d54602cecfec6d90f792be4a70ad918ab

CVE-2020-35494 (https://sourceware.org/bugzilla/show_bug.cgi?id=25307):

There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.

Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2c5b6e1a1c406cbe06e2d6f77861764ebd01b9ce

CVE-2020-35495 (https://sourceware.org/bugzilla/show_bug.cgi?id=25306):

There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

Same fix as next one according to URL.

CVE-2020-35496 (https://sourceware.org/bugzilla/show_bug.cgi?id=25308):

There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a0fb7be96e0ce79e1ae429bc1ba913e5244d537

CVE-2020-35507 (https://sourceware.org/bugzilla/show_bug.cgi?id=25308):

There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34.

Same patch as previous.


All patches included in 2.34 tag, so we're waiting for cleanup whenever possible here.
Comment 1 Larry the Git Cow gentoo-dev 2021-01-23 18:45:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35a10404afc3d5e0db2ef6a052bf82ca30e32094

commit 35a10404afc3d5e0db2ef6a052bf82ca30e32094
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-01-23 18:44:26 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-01-23 18:45:12 +0000

    package.mask: Extend binutils mask
    
    Bug: https://bugs.gentoo.org/764170
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2021-01-23 18:46:03 UTC
All affected packages masked. No cleanup (toolchain). Please proceed.
Comment 3 John Helmert III gentoo-dev Security 2021-01-24 18:59:24 UTC
(In reply to Andreas K. Hüttel from comment #2)
> All affected packages masked. No cleanup (toolchain). Please proceed.

Thanks!
Comment 4 John Helmert III gentoo-dev Security 2021-07-06 00:48:15 UTC
GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:52:25 UTC
This issue was resolved and addressed in
 GLSA 202107-24 at https://security.gentoo.org/glsa/202107-24
by GLSA coordinator John Helmert III (ajak).