Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829304 (CVE-2021-45078, CVE-2021-46174) - <sys-devel/binutils-2.38 : heap buffer overflow
Summary: <sys-devel/binutils-2.38 : heap buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2021-45078, CVE-2021-46174
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: binutils-2.38-stable
Blocks:
  Show dependency tree
 
Reported: 2021-12-15 23:49 UTC by John Helmert III
Modified: 2023-11-28 17:56 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-15 23:49:55 UTC
CVE-2021-45078:

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.

Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-04 06:58:33 UTC
https://www.openwall.com/lists/oss-security/2021/12/23/1
https://sourceware.org/bugzilla/show_bug.cgi?id=28718

"I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The problem is caused by a self-reference in a type definition string in the "stabs" representation of debugging information (http://www.sourceware.org/gdb/onlinedocs/stabs.html). 
This leads to an infinite recursion during the printing debug information about this type.

There is the following type definition:
    .stabs "some_type:t&1=2=3=2",128,0,0,0
Here 'some_type' is defined as a reference to the indirect type 1, which is the indirect type 2, which is the indirect type 3, which finally is the indirect type 2. And after parsing we get a "looped" type 2:
    *type->u.kindirect->slot == type"
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2022-02-12 21:28:45 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-45078:
> 
> stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows
> attackers to cause a denial of service (heap-based buffer overflow) or
> possibly have unspecified other impact, as demonstrated by an out-of-bounds
> write. NOTE: this issue exists because of an incorrect fix for
> CVE-2018-12699.
> 
> Patch:
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=161e87d12167b1e36193385485c1f6ce92f74f02

Fixed in 2.38

(In reply to John Helmert III from comment #1)
> https://www.openwall.com/lists/oss-security/2021/12/23/1
> https://sourceware.org/bugzilla/show_bug.cgi?id=28718
> 
> "I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The
> problem is caused by a self-reference in a type definition string in the
> "stabs" representation of debugging information
...

Fixed in 2.38
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:11:04 UTC
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2022-08-14 21:48:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1d8cf0a3e06fbdd4dd76f179edfa141b674a0968

commit 1d8cf0a3e06fbdd4dd76f179edfa141b674a0968
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 21:47:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 21:48:21 +0000

    [ GLSA 202208-30 ] GNU Binutils: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/778545
    Bug: https://bugs.gentoo.org/792342
    Bug: https://bugs.gentoo.org/829304
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-30.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 21:49:24 UTC
GLSA done, all done.
Comment 6 Larry the Git Cow gentoo-dev 2022-09-09 22:18:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d5730d9528445165a7dbe1039c506f2ab2223b

commit c2d5730d9528445165a7dbe1039c506f2ab2223b
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-09-09 22:18:00 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-09-09 22:18:00 +0000

    package.mask: Extend binutils mask
    
    Bug: https://bugs.gentoo.org/829304
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2022-09-09 22:19:17 UTC
No cleanup (but all masked).
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 17:56:40 UTC
CVE-2021-46174 (https://sourceware.org/bugzilla/show_bug.cgi?id=28753):

Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.

Fixed in 2.38.