Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618520 (CVE-2017-8421) - <sys-devel/binutils-2.27-r1: Memory exhaustion in objdump via a crafted PE file (CVE-2017-8421)
Summary: <sys-devel/binutils-2.27-r1: Memory exhaustion in objdump via a crafted PE fi...
Status: RESOLVED FIXED
Alias: CVE-2017-8421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2017-6965, CVE-2017-6966, CVE-2017-6969
Blocks:
  Show dependency tree
 
Reported: 2017-05-15 09:47 UTC by GLSAMaker/CVETool Bot
Modified: 2017-09-17 15:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-15 09:47:32 UTC
CVE-2017-8421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8421):
  The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor
  (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a
  memory leak vulnerability which can cause memory exhaustion in objdump via a
  crafted PE file. Additional validation in dump_relocs_in_section in
  objdump.c can resolve this.


Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb
Comment 1 Matthias Maier gentoo-dev 2017-06-06 19:28:20 UTC
Fixed in 2.27 for the :2.27 slot


commit cd1ba24b30850d49e58b79af6e0f5387f9f7ed8d (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Jun 6 14:01:21 2017 -0500

    sys-devel/binutils: 2.27 - multiple security fixes, bug #618520, bug #618826
    
    CVE-2017-8421
      Prevent memory exhaustion from a corrupt PE binary with an overlarge number of relocs.
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=39ff1b79f687b65f4144ddb379f22587003443fb
    
    CVE-2017-9038
      readelf: Update check for invalid word offsets in ARM unwind information.
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
    
    CVE-2017-9038
      readelf: Update check for invalid word offsets in ARM unwind information.
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
    
    CVE-2017-9039
      readelf: Fix overlarge memory allocation when reading a binary with an excessive number of program headers.
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
    
    CVE-2017-9040, CVE-2017-9042
      readelf: fix out of range subtraction, seg fault from a NULL pointer and memory exhaustion, all from parsing corrupt binaries.
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
    
    CVE-2017-9041
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
    
    [2] https://bugs.gentoo.org/show_bug.cgi?id=618520
    [2] https://bugs.gentoo.org/show_bug.cgi?id=618826
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Matthias Maier gentoo-dev 2017-06-06 22:35:53 UTC
2.27: Fixed in 2.27-r1 (see above)
2.28: Fixed in 2.28-r1


 * The patch for CVE-2017-9043 cannot be backported to 2.28, the function
   and code snippet in question do not exist.
   
   Security, please advice.

 * The status of CVE-2017-9044 is unknown.

   Security, please advice.



commit 2f7eb9e2fe785abde175d4f7a041fa64d330fdf7 (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Jun 6 17:04:54 2017 -0500

    sys-devel/binutils: 2.28 - multiple security fixes, bug #618514, bug #618516, bug #618520, bug #618826
    
    CVE-2017-9041
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3
    
    CVE-2017-9040, CVE-2017-9042
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf
    
    CVE-2017-9039
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5
    
    CVE-2017-9038
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d
    
    CVE-2017-8421
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb
    
    CVE-2017-8396, CVE-2017-8397
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab
    
    CVE-2017-8395
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3
    
    CVE-2017-8394
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2
    
    CVE-2017-8393
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
    
    CVE-2017-8398
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
    
    CVE-2017-7614
      https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8
    
    [1] https://bugs.gentoo.org/show_bug.cgi?id=618514
    [2] https://bugs.gentoo.org/show_bug.cgi?id=618516
    [3] https://bugs.gentoo.org/show_bug.cgi?id=618820
    [4] https://bugs.gentoo.org/show_bug.cgi?id=618826
    [5] https://bugs.gentoo.org/show_bug.cgi?id=618006
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-09-15 18:52:06 UTC
All vulnerable versions are masked. No cleanup (toolchain package).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:31:33 UTC
This issue was resolved and addressed in
 GLSA 201709-02 at https://security.gentoo.org/glsa/201709-02
by GLSA coordinator Aaron Bauman (b-man).