CVE-2017-9756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756): The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE-2017-9755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755): opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE-2017-9751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751): opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE-2017-9750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750): opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE-2017-9749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749): The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE-2017-9746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746): The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during "objdump -D" execution. CVE-2017-9743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743): The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. CVE-2017-7227 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227): GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\0' termination of a name field in ldlex.l. CVE-2017-7225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225): The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash. CVE-2017-7224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224): The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash. CVE-2017-7223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223): GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash. CVE-2017-7210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210): objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash. CVE-2017-7209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209): The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.
@Maintainers could you please confirm if those CVEs are solved in 2.29? Thank you
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2017-9756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756): > The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU > Binutils 2.28 allows remote attackers to cause a denial of service (buffer > overflow and application crash) or possibly have unspecified other impact > via a crafted binary file, as demonstrated by mishandling of this file > during "objdump -D" execution. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-9755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755): > opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of > registers for bnd mode, which allows remote attackers to cause a denial of > service (buffer overflow and application crash) or possibly have > unspecified > other impact via a crafted binary file, as demonstrated by mishandling of > this file during "objdump -D" execution. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-9751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751): > opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE > macro, > which allows remote attackers to cause a denial of service (buffer overflow > and application crash) or possibly have unspecified other impact via a > crafted binary file, as demonstrated by mishandling of this file during > "objdump -D" execution. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-9750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750): > opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain > scale arrays, which allows remote attackers to cause a denial of service > (buffer overflow and application crash) or possibly have unspecified other > impact via a crafted binary file, as demonstrated by mishandling of this > file during "objdump -D" execution. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-9749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749): > The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote > attackers to cause a denial of service (buffer overflow and application > crash) or possibly have unspecified other impact via a crafted binary file, > as demonstrated by mishandling of this file during "objdump -D" execution. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-9746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746): > The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows > remote attackers to cause a denial of service (buffer overflow and > application crash) or possibly have unspecified other impact via a crafted > binary file, as demonstrated by mishandling of rae insns printing for this > file during "objdump -D" execution. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-9743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743): > The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils > 2.28 allows remote attackers to cause a denial of service (buffer overflow > and application crash) or possibly have unspecified other impact via a > crafted binary file, as demonstrated by mishandling of this file during > "objdump -D" execution. This one noone could reproduce, not even the original submitter. So probably invalid. > > CVE-2017-7227 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227): > GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer > overflow while processing a bogus input script, leading to a program crash. > This relates to lack of '\0' termination of a name field in ldlex.l. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-7225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225): > The find_nearest_line function in addr2line in GNU Binutils 2.28 does not > handle the case where the main file name and the directory name are both > empty, triggering a NULL pointer dereference and an invalid write, and > leading to a program crash. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-7224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224): > The find_nearest_line function in objdump in GNU Binutils 2.28 is > vulnerable > to an invalid write (of size 1) while disassembling a corrupt binary that > contains an empty function name, leading to a program crash. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-7223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223): > GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer > overflow > (of size 1) while attempting to unget an EOF character from the input > stream, potentially leading to a program crash. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-7210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210): > objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer > over-reads (of size 1 and size 8) while handling corrupt STABS enum type > strings in a crafted object file, leading to program crash. Fixed in sys-devel/binutils-2.29.1-r1 > > CVE-2017-7209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209): > The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses > a NULL pointer while reading section contents in a corrupt binary, leading > to a program crash. Fixed in sys-devel/binutils-2.29.1-r1
All affected versions are masked. No further cleanup (toolchain package). Nothing to do for toolchain here anymore. Please proceed.
Added to existing GLSA request. Gentoo Security Padawan (Jmbailey/mbailey_j)
This issue was resolved and addressed in GLSA 201801-01 at https://security.gentoo.org/glsa/201801-01 by GLSA coordinator Aaron Bauman (b-man).
