Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 526626 (CVE-2014-8484, CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8737, CVE-2014-8738) - <sys-devel/binutils-2.25: invalid read flaw in libbfd (CVE-2014-{8484,8485,8501,8502,8503,8504,8737,8738})
Summary: <sys-devel/binutils-2.25: invalid read flaw in libbfd (CVE-2014-{8484,8485,85...
Status: RESOLVED FIXED
Alias: CVE-2014-8484, CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8737, CVE-2014-8738
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://sourceware.org/git/?p=binutil...
Whiteboard: A3 [glsa cve]
Keywords:
: 527616 528984 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-10-24 07:56 UTC by Agostino Sarubbo
Modified: 2017-01-23 03:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-24 07:56:39 UTC
From ${URL} :

Michal Zalewski reported an invalid read flaw in libbfd, used by, for example, the "strings" utility. Running "strings" on a malicious file could cause "strings" to crash:

http://seclists.org/oss-sec/2014/q4/424

It is unclear yet if it is possible to leverage this issue for more than a crash.

Dave Rutherford noted on oss-security that using certain web browsers to save a malicious file could trigger this issue and cause the browser to crash:

http://seclists.org/oss-sec/2014/q4/426


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2014-10-24 12:44:08 UTC
See also: https://sourceware.org/bugzilla/show_bug.cgi?id=17509

That bug affects both 2.23.2 and 2.24-r3.
Comment 2 SpanKY gentoo-dev 2014-10-24 15:47:58 UTC
the fix is already in 2.24.90 and will be in 2.25 final when it's released.  i don't see a need to stabilize/backport here though.  binutils is known to be not resilient to bad inputs, so anyone using their tools/libs in security sensitive areas are doing it wrong already.
Comment 3 SpanKY gentoo-dev 2014-11-09 00:20:52 UTC
*** Bug 527616 has been marked as a duplicate of this bug. ***
Comment 4 SpanKY gentoo-dev 2014-11-12 00:45:07 UTC
*** Bug 528984 has been marked as a duplicate of this bug. ***
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 20:11:10 UTC
CVE-2014-8737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8737):
  Multiple directory traversal vulnerabilities in GNU binutils 2.24 and
  earlier allow local users to delete arbitrary files via a .. (dot dot) or
  full path name in an archive to (1) strip or (2) objcopy or create arbitrary
  files via (3) a .. (dot dot) or full path name in an archive to ar.

CVE-2014-8504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8504):
  Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU
  binutils 2.24 and earlier allows remote attackers to cause a denial of
  service (crash) and possibly have other unspecified impact via a crafted
  file.

CVE-2014-8503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8503):
  Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU
  binutils 2.24 and earlier allows remote attackers to cause a denial of
  service (crash) and possibly have other unspecified impact via a crafted
  ihex file.

CVE-2014-8502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8502):
  Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c
  in GNU binutils 2.24 and earlier allows remote attackers to cause a denial
  of service (crash) and possibly have other unspecified impact via a
  truncated export table in a PE file.

CVE-2014-8501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8501):
  The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24
  and earlier allows remote attackers to cause a denial of service
  (out-of-bounds write) and possibly have other unspecified impact via a
  crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.

CVE-2014-8485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8485):
  The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and
  earlier allows remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via crafted section group headers in an ELF
  file.

CVE-2014-8484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8484):
  The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25
  allows remote attackers to cause a denial of service (out-of-bounds read)
  via a small S-record.
Comment 6 SpanKY gentoo-dev 2015-02-09 15:50:34 UTC
2.25 is in the tree now, but i don't see it being fast tracked stable-wise
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-09 20:28:55 UTC
(In reply to SpanKY from comment #6)
> 2.25 is in the tree now, but i don't see it being fast tracked stable-wise

Thanks for adding it to tree. Please call for stabilization when you consider it appropriate. Do you expect any issues when stabilizing/updating? if so, do we have a tracker bug for issues we can make a blocker for this bug?
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 15:49:39 UTC
CVE-2014-8738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8738):
  The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils
  2.24 and earlier allows remote attackers to cause a denial of service
  (invalid write, segmentation fault, and crash) via a crafted extended name
  table in an archive.
Comment 9 Hanno Böck gentoo-dev 2015-07-10 13:20:32 UTC
vapier: this has been in the tree for a while now. Can we go on with 2.25 stabilization?
I don't see any 2.25 specific bugs right now. If there are blockers can you mark them to block this bug?
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 00:20:18 UTC
Adjusting summary: Gentoo repository never had v2.24.90 so the first version containing the fix which landed in the repository was =sys-devel/binutils-2.25.

=sys-devel/binutils-2.25.1-r1 is the current stable version in the repository.

New GLSA created.

Added CVE status based on comment #5.


@ Maintainer(s): Please cleanup <sys-devel/binutils-2.25. If you don't want to remove previous version please apply masks indicating a security problem.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-12-08 13:14:46 UTC
This issue was resolved and addressed in
 GLSA 201612-24 at https://security.gentoo.org/glsa/201612-24
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-12-08 13:15:23 UTC
@maintainer(s), reopening for cleanup.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 03:48:24 UTC
tree is clean.