CVE-2021-45078: stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699. Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02
https://www.openwall.com/lists/oss-security/2021/12/23/1 https://sourceware.org/bugzilla/show_bug.cgi?id=28718 "I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The problem is caused by a self-reference in a type definition string in the "stabs" representation of debugging information (http://www.sourceware.org/gdb/onlinedocs/stabs.html). This leads to an infinite recursion during the printing debug information about this type. There is the following type definition: .stabs "some_type:t&1=2=3=2",128,0,0,0 Here 'some_type' is defined as a reference to the indirect type 1, which is the indirect type 2, which is the indirect type 3, which finally is the indirect type 2. And after parsing we get a "looped" type 2: *type->u.kindirect->slot == type"
(In reply to John Helmert III from comment #0) > CVE-2021-45078: > > stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows > attackers to cause a denial of service (heap-based buffer overflow) or > possibly have unspecified other impact, as demonstrated by an out-of-bounds > write. NOTE: this issue exists because of an incorrect fix for > CVE-2018-12699. > > Patch: > https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; > h=161e87d12167b1e36193385485c1f6ce92f74f02 Fixed in 2.38 (In reply to John Helmert III from comment #1) > https://www.openwall.com/lists/oss-security/2021/12/23/1 > https://sourceware.org/bugzilla/show_bug.cgi?id=28718 > > "I found a stack-overflow in 'debug_write_type' (binutils/debug.c). The > problem is caused by a self-reference in a type definition string in the > "stabs" representation of debugging information ... Fixed in 2.38
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1d8cf0a3e06fbdd4dd76f179edfa141b674a0968 commit 1d8cf0a3e06fbdd4dd76f179edfa141b674a0968 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 21:47:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 21:48:21 +0000 [ GLSA 202208-30 ] GNU Binutils: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/778545 Bug: https://bugs.gentoo.org/792342 Bug: https://bugs.gentoo.org/829304 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-30.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA done, all done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d5730d9528445165a7dbe1039c506f2ab2223b commit c2d5730d9528445165a7dbe1039c506f2ab2223b Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-09-09 22:18:00 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-09-09 22:18:00 +0000 package.mask: Extend binutils mask Bug: https://bugs.gentoo.org/829304 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> profiles/package.mask | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
No cleanup (but all masked).
CVE-2021-46174 (https://sourceware.org/bugzilla/show_bug.cgi?id=28753): Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37. Fixed in 2.38.
