Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618516 (CVE-2017-8392, CVE-2017-8393, CVE-2017-8394, CVE-2017-8395, CVE-2017-8396, CVE-2017-8397) - <sys-devel/binutils-2.28-r1: libbfd: multiple vulnerabilities (CVE-2017-{8392,8393,8394,8395,8396,8397})
Summary: <sys-devel/binutils-2.28-r1: libbfd: multiple vulnerabilities (CVE-2017-{8392...
Status: RESOLVED FIXED
Alias: CVE-2017-8392, CVE-2017-8393, CVE-2017-8394, CVE-2017-8395, CVE-2017-8396, CVE-2017-8397
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2017-6965, CVE-2017-6966, CVE-2017-6969
Blocks:
  Show dependency tree
 
Reported: 2017-05-15 09:36 UTC by GLSAMaker/CVETool Bot
Modified: 2017-09-17 15:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-15 09:36:04 UTC
CVE-2017-8397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8397):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid
  write of size 1 during processing of a corrupt binary containing reloc(s)
  with negative addresses. This vulnerability causes programs that conduct an
  analysis of binary programs using the libbfd library, such as objdump, to
  crash.

CVE-2017-8396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8396):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.28, is vulnerable to an invalid read of size 1 because the
  existing reloc offset range tests didn't catch small negative offsets less
  than the size of the reloc field. This vulnerability causes programs that
  conduct an analysis of binary programs using the libbfd library, such as
  objdump, to crash.

CVE-2017-8395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8395):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.28, is vulnerable to an invalid write of size 8 because of
  missing a malloc() return-value check to see if memory had actually been
  allocated in the _bfd_generic_get_section_contents function. This
  vulnerability causes programs that conduct an analysis of binary programs
  using the libbfd library, such as objcopy, to crash.

CVE-2017-8394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8394):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL
  pointer dereferencing of _bfd_elf_large_com_section. This vulnerability
  causes programs that conduct an analysis of binary programs using the libbfd
  library, such as objcopy, to crash.

CVE-2017-8393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8393):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.28, is vulnerable to a global buffer over-read error because of
  an assumption made by code that runs for objcopy and strip, that
  SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela
  prefix. This vulnerability causes programs that conduct an analysis of
  binary programs using the libbfd library, such as objcopy and strip, to
  crash.

CVE-2017-8392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8392):
  The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
  Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing
  a check to determine whether symbols are NULL in the
  _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs
  that conduct an analysis of binary programs using the libbfd library, such
  as objdump, to crash.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-05-15 09:43:52 UTC
Correction, I mixed CVE-2017-8395 with CVE-2017-8396:

CVE-2017-8395:
==============
Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=21431

Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3

CVE-2017-8396:
==============
Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=21432

Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab
Comment 3 Matthias Maier gentoo-dev 2017-06-06 22:32:13 UTC
2.27: could not backport patches
2.28: Fixed in 2.28-r1

 * The patch for CVE-2017-8392 cannot be backported to 2.28, the function
   and code snippet in question does not exist.
   
   Security, please advice.



Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Jun 6 17:04:54 2017 -0500

    sys-devel/binutils: 2.28 - multiple security fixes, bug #618514, bug #618516, bug #618520, bug #618826
    
    CVE-2017-9041
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
    
    CVE-2017-9040, CVE-2017-9042
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
    
    CVE-2017-9039
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
    
    CVE-2017-9038
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
    
    CVE-2017-8421
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb
    
    CVE-2017-8396, CVE-2017-8397
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab
    
    CVE-2017-8395
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3
    
    CVE-2017-8394
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2
    
    CVE-2017-8393
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
    
    CVE-2017-8398
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
    
    CVE-2017-7614
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8
    
    [1] https://bugs.gentoo.org/show_bug.cgi?id=618514
    [2] https://bugs.gentoo.org/show_bug.cgi?id=618516
    [3] https://bugs.gentoo.org/show_bug.cgi?id=618820
    [4] https://bugs.gentoo.org/show_bug.cgi?id=618826
    [5] https://bugs.gentoo.org/show_bug.cgi?id=618006
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 4 Andreas K. Hüttel gentoo-dev 2017-09-15 18:54:24 UTC
All vulnerable versions are masked. No cleanup (toolchain package).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:31:24 UTC
This issue was resolved and addressed in
 GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02
by GLSA coordinator Aaron Bauman (b-man).