Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634196 (CVE-2017-14933) - <sys-devel/binutils-2.30 : denial of service (infinite loop) via a crafted ELF file (CVE-2017-14933)
Summary: <sys-devel/binutils-2.30 : denial of service (infinite loop) via a crafted EL...
Status: RESOLVED FIXED
Alias: CVE-2017-14933
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2018-7208, CVE-2018-7568, CVE-2018-7569, CVE-2018-7570, CVE-2018-7643, CVE-2018-8945 binutils-2.30-stable
Blocks:
  Show dependency tree
 
Reported: 2017-10-13 18:40 UTC by Andreas K. Hüttel
Modified: 2018-11-27 02:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel archtester gentoo-dev 2017-10-13 18:40:26 UTC 
Splitting this off into a separate bug.

> 
> CVE-2017-14933
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14933):
> 
> read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD)
> library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
> attackers to cause a denial of service (infinite loop) via a crafted ELF
> file. 
> 
> References:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=22210
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32
>

Patch doesn't trivially apply to 2.29.1. Deferred.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2018-04-29 16:25:53 UTC 
Fixed in 2.30
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-11-27 02:01:38 UTC 
This issue was resolved and addressed in
 GLSA 201811-17 at https://security.gentoo.org/glsa/201811-17
by GLSA coordinator Aaron Bauman (b-man).