Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627516 (CVE-2017-12799) - <sys-devel/binutils-2.29.1: heap buffer overflow in elf_read_notes (CVE-2017-12799)
Summary: <sys-devel/binutils-2.29.1: heap buffer overflow in elf_read_notes (CVE-2017-...
Status: RESOLVED FIXED
Alias: CVE-2017-12799
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-11 04:41 UTC by D'juan McDonald (domhnall)
Modified: 2018-01-07 23:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-11 04:41:21 UTC
The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.

Upstream Fix:

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=957e1fc1c5d0262e4b2f764cf031ad1458446498

commit 957e1fc1c5d0262e4b2f764cf031ad1458446498
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Aug 10 09:37:36 2017 +0100

    Fix out of bounds memory access when trying to allocate space for a note of size -1.
Comment 1 D'juan McDonald (domhnall) 2017-08-22 17:40:10 UTC
@maintainer(s), please test and follow procedure to stabilize and/or close on report...thank you.

Daj'Uan (mbailey_J)
Gentoo Security Scout
Comment 2 Andreas K. Hüttel gentoo-dev 2017-12-27 22:55:40 UTC
All affected versions are masked. No further cleanup (toolchain package). 

Nothing to do for toolchain here anymore. Please proceed.
Comment 3 D'juan McDonald (domhnall) 2018-01-05 06:43:06 UTC
Added to existing GLSA request.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:11:12 UTC
This issue was resolved and addressed in
 GLSA 201801-01 at https://security.gentoo.org/glsa/201801-01
by GLSA coordinator Aaron Bauman (b-man).