637642 – (CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829, CVE-2017-16830, CVE-2017-16831, CVE-2017-16832) <sys-devel/binutils-2.30 : Multiple Vulnerabilities

Bug 637642 (CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829, CVE-2017-16830, CVE-2017-16831, CVE-2017-16832) - <sys-devel/binutils-2.30 : Multiple Vulnerabilities

Summary: <sys-devel/binutils-2.30 : Multiple Vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829, CVE-2017-16830, CVE-2017-16831, CVE-2017-16832

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:	CVE-2018-7208, CVE-2018-7568, CVE-2018-7569, CVE-2018-7570, CVE-2018-7643, CVE-2018-8945 binutils-2.30-stable
Blocks:
	Show dependency tree

Reported:	2017-11-16 03:19 UTC by Francis Booth
Modified:	2018-11-27 02:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francis Booth 2017-11-16 03:19:18 UTC

## CVE-2017-16826

The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.

## CVE-2017-16827

The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.

## CVE-2017-16828

The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.

## CVE-2017-16829

The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.

## CVE-2017-16830

The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.

## CVE-2017-16831

coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.

## CVE-2017-16832

The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.


~ eleix (Security Padawan)

Reproducible: Didn't try

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-16 03:34:52 UTC

@Maintainers please let us know when tree is clean from vulnerable versions.

Thank you

Comment 2 Andreas K. Hüttel archtester

2017-12-15 23:01:33 UTC

(In reply to Francis Booth from comment #0)
> ## CVE-2017-16826
> 
> The coff_slurp_line_table function in coffcode.h in the Binary File
> Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
> 2.29.1, allows remote attackers to cause a denial of service (invalid memory
> access and application crash) or possibly have unspecified other impact via
> a crafted PE file.

Fixed in upstream master
Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

> 
> ## CVE-2017-16827
> 
> The aout_get_external_symbols function in aoutx.h in the Binary File
> Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
> 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab
> invalid free and application crash) or possibly have unspecified other
> impact via a crafted ELF file.

Fixed in upstream master
Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

> 
> ## CVE-2017-16828
> 
> The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows
> remote attackers to cause a denial of service (integer overflow and
> heap-based buffer over-read, and application crash) or possibly have
> unspecified other impact via a crafted ELF file, related to
> print_debug_frame.

Fixed in upstream master
Patch does not apply trivially to gentoo/binutils-2.29.1 branch

> 
> ## CVE-2017-16829
> 
> The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary
> File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
> 2.29.1, does not prevent negative pointers, which allows remote attackers to
> cause a denial of service (out-of-bounds read and application crash) or
> possibly have unspecified other impact via a crafted ELF file.

Fixed in upstream master
Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

> 
> ## CVE-2017-16830
> 
> The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1
> does not have integer-overflow protection on 32-bit platforms, which allows
> remote attackers to cause a denial of service (segmentation violation and
> application crash) or possibly have unspecified other impact via a crafted
> ELF file.

Fixed in upstream master
Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

> 
> ## CVE-2017-16831
> 
> coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as
> distributed in GNU Binutils 2.29.1, does not validate the symbol count,
> which allows remote attackers to cause a denial of service (integer overflow
> and application crash, or excessive memory allocation) or possibly have
> unspecified other impact via a crafted PE file.

Fixed in upstream master
Patch does not apply trivially to gentoo/binutils-2.29.1 branch

> 
> ## CVE-2017-16832
> 
> The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor
> (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not
> validate size and offset values in the data dictionary, which allows remote
> attackers to cause a denial of service (segmentation violation and
> application crash) or possibly have unspecified other impact via a crafted
> PE file.

Fixed in upstream master
Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

Comment 3 Andreas K. Hüttel archtester

2018-04-29 16:37:17 UTC

(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Francis Booth from comment #0)
> > ## CVE-2017-16826
> > 
> > The coff_slurp_line_table function in coffcode.h in the Binary File
> > Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
> > 2.29.1, allows remote attackers to cause a denial of service (invalid memory
> > access and application crash) or possibly have unspecified other impact via
> > a crafted PE file.
> 
> Fixed in upstream master
> Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

Fixed in 2.30

> 
> > 
> > ## CVE-2017-16827
> > 
> > The aout_get_external_symbols function in aoutx.h in the Binary File
> > Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
> > 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab
> > invalid free and application crash) or possibly have unspecified other
> > impact via a crafted ELF file.
> 
> Fixed in upstream master
> Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

Fixed in 2.30

> 
> > 
> > ## CVE-2017-16828
> > 
> > The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows
> > remote attackers to cause a denial of service (integer overflow and
> > heap-based buffer over-read, and application crash) or possibly have
> > unspecified other impact via a crafted ELF file, related to
> > print_debug_frame.
> 
> Fixed in upstream master
> Patch does not apply trivially to gentoo/binutils-2.29.1 branch

Fixed in 2.30

> 
> > 
> > ## CVE-2017-16829
> > 
> > The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary
> > File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
> > 2.29.1, does not prevent negative pointers, which allows remote attackers to
> > cause a denial of service (out-of-bounds read and application crash) or
> > possibly have unspecified other impact via a crafted ELF file.
> 
> Fixed in upstream master
> Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

Fixed in 2.30

> 
> > 
> > ## CVE-2017-16830
> > 
> > The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1
> > does not have integer-overflow protection on 32-bit platforms, which allows
> > remote attackers to cause a denial of service (segmentation violation and
> > application crash) or possibly have unspecified other impact via a crafted
> > ELF file.
> 
> Fixed in upstream master
> Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

Fixed in 2.30

> 
> > 
> > ## CVE-2017-16831
> > 
> > coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as
> > distributed in GNU Binutils 2.29.1, does not validate the symbol count,
> > which allows remote attackers to cause a denial of service (integer overflow
> > and application crash, or excessive memory allocation) or possibly have
> > unspecified other impact via a crafted PE file.
> 
> Fixed in upstream master
> Patch does not apply trivially to gentoo/binutils-2.29.1 branch

Fixed in 2.30

> 
> > 
> > ## CVE-2017-16832
> > 
> > The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor
> > (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not
> > validate size and offset values in the data dictionary, which allows remote
> > attackers to cause a denial of service (segmentation violation and
> > application crash) or possibly have unspecified other impact via a crafted
> > PE file.
> 
> Fixed in upstream master
> Added to gentoo/binutils-2.29.1 branch (patchlevel 4)

Fixed in 2.30

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2018-11-27 02:01:45 UTC

This issue was resolved and addressed in
 GLSA 201811-17 at https://security.gentoo.org/glsa/201811-17
by GLSA coordinator Aaron Bauman (b-man).