SB2017091709 - Gentoo update for Binutils

Description

This security bulletin contains information about 19 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2017-6965)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.

2) Use-after-free (CVE-ID: CVE-2017-6966)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.

3) Out-of-bounds read (CVE-ID: CVE-2017-6969)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.

4) NULL pointer dereference (CVE-ID: CVE-2017-7614)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.

5) NULL pointer dereference (CVE-ID: CVE-2017-8392)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

6) Out-of-bounds read (CVE-ID: CVE-2017-8393)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.

7) NULL pointer dereference (CVE-ID: CVE-2017-8394)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.

8) NULL pointer dereference (CVE-ID: CVE-2017-8395)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.

9) Input validation error (CVE-ID: CVE-2017-8396)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

10) Buffer overflow (CVE-ID: CVE-2017-8397)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

11) Buffer overflow (CVE-ID: CVE-2017-8398)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.

12) Input validation error (CVE-ID: CVE-2017-8421)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.

13) Out-of-bounds read (CVE-ID: CVE-2017-9038)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in GNU Binutils 2.28. A remote attacker can perform a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.

14) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2017-9039)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.

15) NULL pointer dereference (CVE-ID: CVE-2017-9040)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted ELF file that triggers a large memory-allocation attempt.

16) Out-of-bounds read (CVE-ID: CVE-2017-9041)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in GNU Binutils 2.28. A remote attacker can perform a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.

17) Type conversion (CVE-ID: CVE-2017-9042)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in type long" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.

18) Buffer overflow (CVE-ID: CVE-2017-9742)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.

19) Stack-based buffer overflow (CVE-ID: CVE-2017-9954)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed when processing a crafted tekhex file, as demonstrated by mishandling within the nm program. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201709-02