Advisories ยป MGASA-2019-0169

Updated binutils packages fixes security vulnerabilities

Publication date: 12 May 2019
Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 6
CVE: CVE-2014-9939 , CVE-2016-4487 , CVE-2016-4488 , CVE-2016-4489 , CVE-2016-4490 , CVE-2016-4492 , CVE-2016-4493 , CVE-2016-6131 , CVE-2017-6965 , CVE-2017-6966 , CVE-2017-6969 , CVE-2017-7209 , CVE-2017-7210 , CVE-2017-7223 , CVE-2017-7224 , CVE-2017-7225 , CVE-2017-7226 , CVE-2017-7227 , CVE-2017-7299 , CVE-2017-7300 , CVE-2017-7301 , CVE-2017-7302 , CVE-2017-7303 , CVE-2017-7304 , CVE-2017-7614 , CVE-2017-8392 , CVE-2017-8393 , CVE-2017-8394 , CVE-2017-8395 , CVE-2017-8396 , CVE-2017-8397 , CVE-2017-8398 , CVE-2017-8421 , CVE-2017-9038 , CVE-2017-9039 , CVE-2017-9040 , CVE-2017-9041 , CVE-2017-9042 , CVE-2017-9043 , CVE-2017-9044 , CVE-2017-9746 , CVE-2017-9747 , CVE-2017-9748 , CVE-2017-9750 , CVE-2017-9755 , CVE-2017-9756 , CVE-2017-9954 , CVE-2017-9955 , CVE-2017-12448 , CVE-2017-12449 , CVE-2017-12450 , CVE-2017-12451 , CVE-2017-12452 , CVE-2017-12453 , CVE-2017-12454 , CVE-2017-12455 , CVE-2017-12456 , CVE-2017-12457 , CVE-2017-12458 , CVE-2017-12459 , CVE-2017-12799 , CVE-2017-13710 , CVE-2017-13716 , CVE-2017-13757 , CVE-2017-14128 , CVE-2017-14129 , CVE-2017-14130 , CVE-2017-14333 , CVE-2017-14529 , CVE-2017-14729 , CVE-2017-14745 , CVE-2017-14938 , CVE-2017-14939 , CVE-2017-14940 , CVE-2017-14974 , CVE-2017-15020 , CVE-2017-15021 , CVE-2017-15022 , CVE-2017-15023 , CVE-2017-15024 , CVE-2017-15025 , CVE-2017-15938 , CVE-2017-15939 , CVE-2018-6323 , CVE-2018-6543 , CVE-2018-6759 , CVE-2018-6872 , CVE-2018-7208 , CVE-2018-7568 , CVE-2018-7569 , CVE-2018-7570 , CVE-2018-7642 , CVE-2018-7643 , CVE-2018-8945 , CVE-2018-10372 , CVE-2018-10373 , CVE-2018-10534 , CVE-2018-10535 , CVE-2018-18484 , CVE-2018-18700 , CVE-2019-9071 , CVE-2019-9073 , CVE-2019-9074 , CVE-2019-9075 , CVE-2019-9077

Description

This update provides the latest stable binutils, currently version 2.32
and fixes at least the following security issues:

ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when
printing bad bytes in Intel Hex objects (CVE-2014-9939)

Use-after-free vulnerability in libiberty allows remote attackers to cause
a denial of service (segmentation fault and crash) via a crafted binary,
related to "btypevec." (CVE-2016-4487)

Use-after-free vulnerability in libiberty allows remote attackers to cause
a denial of service (segmentation fault and crash) via a crafted binary,
related to "ktypevec." (CVE-2016-4488)

Integer overflow in the gnu_special function in libiberty allows remote
attackers to cause a denial of service (segmentation fault and crash) via
a crafted binary, related to the "demangling of virtual tables."
(CVE-2016-4489)

Integer overflow in cp-demangle.c in libiberty allows remote attackers to
cause a denial of service (segmentation fault and crash) via a crafted
binary, related to inconsistent use of the long and int types for lengths.
(CVE-2016-4490)

Buffer overflow in the do_type function in cplus-dem.c in libiberty allows
remote attackers to cause a denial of service (segmentation fault and
crash) via a crafted binary. (CVE-2016-4492)

The demangle_template_value_parm and do_hpacc_template_literal functions
in cplus-dem.c in libiberty allow remote attackers to cause a denial of
service (out-of-bounds read and crash) via a crafted binary. 
(CVE-2016-4493)

The demangler in GNU Libiberty allows remote attackers to cause a denial
of service (infinite loop, stack overflow, and crash) via a cycle in the
references of remembered mangled types. (CVE-2016-6131)

readelf in GNU Binutils 2.28 writes to illegal addresses while processing
corrupt input files containing symbol-difference relocations, leading to
a heap-based buffer overflow. (CVE-2017-6965)

readelf in GNU Binutils 2.28 has a use-after-free (specifically
read-after-free) error while processing multiple, relocated sections in an
MSP430 binary. This is caused by mishandling of an invalid symbol index,
and mishandling of state across invocations. (CVE-2017-6966)

readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read
while processing corrupt RL78 binaries. The vulnerability can trigger
program crashes. It may lead to an information leak as well. (CVE-2017-6969)

The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses
a NULL pointer while reading section contents in a corrupt binary, leading
to a program crash. (CVE-2017-7209)

objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer
over-reads (of size 1 and size 8) while handling corrupt STABS enum type
strings in a crafted object file, leading to program crash. (CVE-2017-7210)

GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer
overflow (of size 1) while attempting to unget an EOF character from the
input stream, potentially leading to a program crash. (CVE-2017-7223)

The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable
to an invalid write (of size 1) while disassembling a corrupt binary that
contains an empty function name, leading to a program crash. (CVE-2017-7224)

The find_nearest_line function in addr2line in GNU Binutils 2.28 does not
handle the case where the main file name and the directory name are both
empty, triggering a NULL pointer dereference and an invalid write, and
leading to a program crash. (CVE-2017-7225)

The pe_ILF_object_p function in the Binary File Descriptor (BFD) library
(aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a
heap-based buffer over-read of size 4049 because it uses the strlen
function instead of strnlen, leading to program crashes in several
utilities such as addr2line, size, and strings. It could lead to
information disclosure as well. (CVE-2017-7226)

GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer
overflow while processing a bogus input script, leading to a program
crash. This relates to lack of '\0' termination of a name field in ldlex.l.
(CVE-2017-7227)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, has an invalid read (of size 8) because the code to
emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check
the format of the input file before trying to read the ELF reloc section
header. The vulnerability leads to a GNU linker (ld) program crash.
(CVE-2017-7299)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h
that is vulnerable to a heap-based buffer over-read (off-by-one) because
of an incomplete check for invalid string offsets while loading symbols,
leading to a GNU linker (ld) program crash. (CVE-2017-7300)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h
that has an off-by-one vulnerability because it does not carefully check
the string offset. The vulnerability could lead to a GNU linker (ld)
program crash. (CVE-2017-7301)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that
is vulnerable to an invalid read (of size 4) because of missing checks
for relocs that could not be recognised. This vulnerability causes
Binutils utilities like strip to crash. (CVE-2017-7302)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because
of missing a check (in the find_link function) for null headers before
attempting to match them. This vulnerability causes Binutils utilities
like strip to crash. (CVE-2017-7303)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because
of missing a check (in the copy_special_section_fields function) for an
invalid sh_link field before attempting to follow it. This vulnerability
causes Binutils utilities like strip to crash. (CVE-2017-7304)

elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.28, has a "member access within null
pointer" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via an "int main() {return 0;}" program. (CVE-2017-7614)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of
missing a check to determine whether symbols are NULL in the 
_bfd_dwarf2_find_nearest_line function. This vulnerability causes programs
that conduct an analysis of binary programs using the libbfd library,
such as objdump, to crash. (CVE-2017-8392)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to a global buffer over-read error
because of an assumption made by code that runs for objcopy and strip,
that SHT_REL/SHR_RELA sections are always named starting with a 
.rel/.rela prefix. This vulnerability causes programs that conduct an
analysis of binary programs using the libbfd library, such as objcopy
and strip, to crash. (CVE-2017-8393)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL
pointer dereferencing of _bfd_elf_large_com_section. This vulnerability
causes programs that conduct an analysis of binary programs using the
libbfd library, such as objcopy, to crash. (CVE-2017-8394)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of
missing a malloc() return-value check to see if memory had actually been
allocated in the _bfd_generic_get_section_contents function. This
vulnerability causes programs that conduct an analysis of binary programs
using the libbfd library, such as objcopy, to crash. (CVE-2017-8395)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the
existing reloc offset range tests didn't catch small negative offsets less
than the size of the reloc field. This vulnerability causes programs that
conduct an analysis of binary programs using the libbfd library, such as
objdump, to crash. (CVE-2017-8396)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an
invalid write of size 1 during processing of a corrupt binary containing
reloc(s) with negative addresses. This vulnerability causes programs that
conduct an analysis of binary programs using the libbfd library, such as
objdump, to crash. (CVE-2017-8397)

dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1
during dumping of debug information from a corrupt binary. This
vulnerability causes programs that conduct an analysis of binary programs,
such as objdump and readelf, to crash. (CVE-2017-8398)

The function coff_set_alignment_hook in coffcode.h in Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28,
has a memory leak vulnerability which can cause memory exhaustion in
objdump via a crafted PE file. Additional validation in
dump_relocs_in_section in objdump.c can resolve this. (CVE-2017-8421)

GNU Binutils 2.28 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted ELF file,
related to the byte_get_little_endian function in elfcomm.c, the
get_unwind_section_word function in readelf.c, and ARM unwind information
that contains invalid word offsets. (CVE-2017-9038)

GNU Binutils 2.28 allows remote attackers to cause a denial of service
(memory consumption) via a crafted ELF file with many program headers,
related to the get_program_headers function in readelf.c. (CVE-2017-9039)

GNU Binutils 2017-04-03 allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash), related to the
process_mips_specific function in readelf.c, via a crafted ELF file that
triggers a large memory-allocation attempt. (CVE-2017-9040)

GNU Binutils 2.28 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted ELF file,
related to MIPS GOT mishandling in the process_mips_specific function in
readelf.c. (CVE-2017-9041)

readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type
long" issue, which might allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
ELF file. (CVE-2017-9042)

readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large for
type unsigned long" issue, which might allow remote attackers to cause a
denial of service (application crash) or possibly have unspecified other
impact via a crafted ELF file. (CVE-2017-9043)

The print_symbol_for_build_attribute function in readelf.c in GNU Binutils
2017-04-12 allows remote attackers to cause a denial of service (invalid
read and SEGV) via a crafted ELF file. (CVE-2017-9044)

The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows
remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
binary file, as demonstrated by mishandling of rae insns printing for this
file during "objdump -D" execution. (CVE-2017-9746)

The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might
allow remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
binary file, as demonstrated by mishandling of this file during
"objdump -D" execution. (CVE-2017-9747)

The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might
allow remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
binary file, as demonstrated by mishandling of this file during
"objdump -D" execution. (CVE-2017-9748)

opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain
scale arrays, which allows remote attackers to cause a denial of service
(buffer overflow and application crash) or possibly have unspecified other
impact via a crafted binary file, as demonstrated by mishandling of this
file during "objdump -D" execution. (CVE-2017-9750)

opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of
registers for bnd mode, which allows remote attackers to cause a denial
of service (buffer overflow and application crash) or possibly have
unspecified other impact via a crafted binary file, as demonstrated by
mishandling of this file during "objdump -D" execution. (CVE-2017-9755)

The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU
Binutils 2.28 allows remote attackers to cause a denial of service
(buffer overflow and application crash) or possibly have unspecified
other impact via a crafted binary file, as demonstrated by mishandling
of this file during "objdump -D" execution. (CVE-2017-9756)

The getvalue function in tekhex.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted tekhex file, as demonstrated by
mishandling within the nm program. (CVE-2017-9954)

The get_build_id function in opncls.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted file in which a certain size field is
larger than a corresponding data field, as demonstrated by mishandling
within the objdump program. (CVE-2017-9955)

The bfd_cache_close function in bfd/cache.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier,
allows remote attackers to cause a heap use after free and possibly achieve
code execution via a crafted nested archive file. This issue occurs because
incorrect functions are called during an attempt to release memory. The
issue can be addressed by better input validation in the
bfd_generic_archive_p function in bfd/archive.c. (CVE-2017-12448)

The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
and earlier, allows remote attackers to cause an out of bounds heap read
via a crafted vms file. (CVE-2017-12449)

The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
and earlier, allows remote attackers to cause an out of bounds heap write
and possibly achieve code execution via a crafted vms alpha file.
(CVE-2017-12450)

The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and
bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka
libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote
attackers to cause an out of bounds stack read via a crafted COFF image
file. (CVE-2017-12451)

The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c
in the Binary File Descriptor (BFD) library (aka libbfd), as distributed
in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out
of bounds heap read via a crafted mach-o file. (CVE-2017-12452)

The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier,
allows remote attackers to cause an out of bounds heap read via a crafted
vms alpha file. (CVE-2017-12453)

The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
and earlier, allows remote attackers to cause an arbitrary memory read via
a crafted vms alpha file. (CVE-2017-12454)

The evax_bfd_print_emh function in vms-alpha.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
and earlier, allows remote attackers to cause an out of bounds heap read
via a crafted vms alpha file. (CVE-2017-12455)

The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils
2.29 and earlier allows remote attackers to cause an out of bounds heap
read via a crafted binary file. (CVE-2017-12456)

The bfd_make_section_with_flags function in section.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29
and earlier, allows remote attackers to cause a NULL dereference via a
crafted file. (CVE-2017-12457)

The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary
File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
2.29 and earlier, allows remote attackers to cause an out of bounds heap
read via a crafted nlm file. (CVE-2017-12458)

The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary
File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
2.29 and earlier, allows remote attackers to cause an out of bounds heap
write and possibly achieve code execution via a crafted mach-o file.
(CVE-2017-12459)

The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote
attackers to cause a denial of service (buffer overflow and application
crash) or possibly have unspecified other impact via a crafted binary file.
(CVE-2017-12799)

The setup_group function in elf.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a group section that is too small. (CVE-2017-13710)

The C++ symbol demangler routine in cplus-dem.c in libiberty, as
distributed in GNU Binutils 2.29, allows remote attackers to cause a
denial of service (excessive memory allocation and application crash) via
a crafted file, as demonstrated by a call from the Binary File Descriptor
(BFD) library (aka libbfd). (CVE-2017-13716)

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in
GNU Binutils 2.29, does not validate the PLT section size, which allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) via a crafted ELF file, related to
elf_i386_get_synthetic_symtab in elf32-i386.c and 
elf_x86_64_get_synthetic_symtab in elf64-x86-64.c. (CVE-2017-13757)

The decode_line_info function in dwarf2.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows
remote attackers to cause a denial of service (read_1_byte heap-based
buffer over-read and application crash) via a crafted ELF file.
(CVE-2017-14128)

The read_section function in dwarf2.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
attackers to cause a denial of service (parse_comp_unit heap-based buffer
over-read and application crash) via a crafted ELF file. (CVE-2017-14129)

The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29,
allows remote attackers to cause a denial of service 
(_bfd_elf_attr_strdup heap-based buffer over-read and application crash)
via a crafted ELF file. (CVE-2017-14130)

The process_version_sections function in readelf.c in GNU Binutils 2.29
allows attackers to cause a denial of service (Integer Overflow, and hang
because of a time-consuming loop) or possibly have unspecified other impact
via a crafted binary file with invalid values of ent.vn_next, during
"readelf -a" execution. (CVE-2017-14333)

The pe_print_idata function in peXXigen.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles
HintName vector entries, which allows remote attackers to cause a denial
of service (heap-based buffer over-read and application crash) via a
crafted PE file, related to the bfd_getl16 function. (CVE-2017-14529)

The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure
a unique PLT entry for a symbol, which allows remote attackers to cause a
denial of service (heap-based buffer overflow and application crash) or
possibly have unspecified other impact via a crafted ELF file, related to
elf32-i386.c and elf64-x86-64.c. (CVE-2017-14729)

The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1
value as a sorting count instead of an error flag, which allows remote
attackers to cause a denial of service (integer overflow and application
crash) or possibly have unspecified other impact via a crafted ELF file,
related to elf32-i386.c and elf64-x86-64.c. (CVE-2017-14745)

_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
attackers to cause a denial of service (excessive memory allocation and
application crash) via a crafted ELF file. (CVE-2017-14938)

decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library
(aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length
calculation, which allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted ELF
file, related to read_1_byte. (CVE-2017-14939)

scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted ELF file. (CVE-2017-14940)

The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the
failure of a certain canonicalization step, which allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
(CVE-2017-14974)

dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.29, mishandles pointers, which allows remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted ELF file, related to
parse_die and parse_line_table, as demonstrated by a parse_die heap-based
buffer over-read. (CVE-2017-15020)

bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted ELF file, related to bfd_getl32.
(CVE-2017-15021)

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.29, does not validate the DW_AT_name data
type, which allows remote attackers to cause a denial of service
(bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and
application crash) via a crafted ELF file, related to
scan_unit_for_symbols and parse_comp_unit. (CVE-2017-15022)

read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, does not
properly validate the format count, which allows remote attackers to cause
a denial of service (NULL pointer dereference and application crash) via a
crafted ELF file, related to concat_filename. (CVE-2017-15023)

find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote
attackers to cause a denial of service (infinite recursion and application
crash) via a crafted ELF file. (CVE-2017-15024)

decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library
(aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers
to cause a denial of service (divide-by-zero error and application crash)
via a crafted ELF file. (CVE-2017-15025)

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs
in the case of a relocatable object file, which allows remote attackers to
cause a denial of service (find_abstract_instance_name invalid memory read,
segmentation fault, and application crash). (CVE-2017-15938)

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line
file table, which allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via a crafted ELF file,
related to concat_filename. NOTE: this issue is caused by an incomplete
fix for CVE-2017-15023. (CVE-2017-15939)

The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an
unsigned integer overflow because bfd_size_type multiplication is not used.
A crafted ELF file allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact.
(CVE-2018-6323)

In GNU Binutils 2.30, there's an integer overflow in the function
load_specific_debug_section() in objdump.c, which results in malloc()
with 0 size. A crafted ELF file allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact.
(CVE-2018-6543)

The bfd_get_debug_link_info_1 function in opncls.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
2.30, has an unchecked strnlen operation. Remote attackers could leverage
this vulnerability to cause a denial of service (segmentation fault) via
a crafted ELF file. (CVE-2018-6759)

The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote
attackers to cause a denial of service (out-of-bounds read and segmentation
violation) via a note with a large alignment. (CVE-2018-6872)

In the coff_pointerize_aux function in coffgen.c in the Binary File
Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils
2.30, an index is not validated, which allows remote attackers to cause
a denial of service (segmentation fault) or possibly have unspecified
other impact via a crafted file, as demonstrated by objcopy of a COFF
object. (CVE-2018-7208)

The parse_die function in dwarf1.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote
attackers to cause a denial of service (integer overflow and application
crash) via an ELF file with corrupt dwarf1 debug information, as
demonstrated by nm. (CVE-2018-7568)

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as
distributed in GNU Binutils 2.30, allows remote attackers to cause a
denial of service (integer underflow or overflow, and application crash)
via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.
(CVE-2018-7569)

The assign_file_positions_for_non_load_sections function in elf.c in the
Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
Binutils 2.30, allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via an ELF file with a RELRO
segment that lacks a matching LOAD segment, as demonstrated by objcopy.
(CVE-2018-7570)

The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows
remote attackers to cause a denial of service (aout_32_swap_std_reloc_out
NULL pointer dereference and application crash) via a crafted ELF file,
as demonstrated by objcopy. (CVE-2018-7642)

The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows
remote attackers to cause a denial of service (integer overflow and
application crash) or possibly have unspecified other impact via a crafted
ELF file, as demonstrated by objdump. (CVE-2018-7643)

The bfd_section_from_shdr function in elf.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows
remote attackers to cause a denial of service (segmentation fault) via a
large attribute section. (CVE-2018-8945)

process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers
to cause a denial of service (heap-based buffer over-read and application
crash) via a crafted binary file, as demonstrated by readelf.
(CVE-2018-10372)

concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library
(aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via a crafted binary file, as demonstrated by nm-new.
(CVE-2018-10373)

The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the
Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
Binutils 2.30, processes a negative Data Directory size with an unbounded
loop that increases the value of (external_IMAGE_DEBUG_DIRECTORY) *edd so
that the address exceeds its own memory region, resulting in an
out-of-bounds memory write, as demonstrated by objcopy copying private info
with _bfd_pex64_bfd_copy_private_bfd_data_common in pex64igen.c.
(CVE-2018-10534)

The ignore_section_sym function in elf.c in the Binary File Descriptor
(BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not
validate the output_section pointer in the case of a symtab entry with a
"SECTION" type that has a "0" value, which allows remote attackers to
cause a denial of service (NULL pointer dereference and application crash)
via a crafted file, as demonstrated by objcopy. (CVE-2018-10535)

An issue was discovered in cp-demangle.c in GNU libiberty, as distributed
in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling
functions provided by libiberty, and there is a stack consumption problem
caused by recursive stack frames: cplus_demangle_type,
d_bare_function_type, d_function_type. (CVE-2018-18484)

An issue was discovered in cp-demangle.c in GNU libiberty, as distributed
in GNU Binutils 2.31. There is a stack consumption vulnerability resulting
from infinite recursion in the functions d_name(), d_encoding(), and
d_local_name() in cp-demangle.c. Remote attackers could leverage this
vulnerability to cause a denial-of-service via an ELF file, as
demonstrated by nm. (CVE-2018-18700)

An issue was discovered in GNU libiberty, as distributed in GNU Binutils
2.32. It is a stack consumption issue in d_count_templates_scopes in
cp-demangle.c after many recursive calls. (CVE-2019-9071)

An issue was discovered in the Binary File Descriptor (BFD) library (aka
libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive
memory allocation in _bfd_elf_slurp_version_tables in elf.c.
(CVE-2019-9073)

An issue was discovered in the Binary File Descriptor (BFD) library (aka
libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read
leading to a SEGV in bfd_getl32 in libbfd.c, when called from
pex64_get_runtime_function in pei-x86_64.c. (CVE-2019-9074)

An issue was discovered in the Binary File Descriptor (BFD) library (aka
libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer
overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.
(CVE-2019-9075)

An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer
overflow in process_mips_specific in readelf.c via a malformed MIPS option
section. (CVE-2019-9077)

For more information on the various security issues, read the referenced
cve.mitre.org links.

For more information about the other changes and additional features of
binutils / gas / ld in this update, see the referenced sourceware.org
NEWS links.
                

References

SRPMS

6/core