Ubuntu update for binutils

Published: 2022-03-28

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-1010204
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Ubuntu Operating systems & Components / Operating system binutils (Ubuntu package) Operating systems & Components / Operating system package or component binutils-multiarch (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU19572

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-1010204

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the improper processing of Executable Linkable Format (ELF) files with invalid "e_shoff" header fields in the "gold/fileread.cc:497" and "elfcpp/elfcpp_file.h:644" files. A remote attacker can trick a victim to open a specially crafted ELF file, cause an out-of-bounds read condition and perform a denial of service attack on the target system.

Mitigation

Update the affected package binutils to the latest version.

Vulnerable software versions

Ubuntu: 16.04

binutils (Ubuntu package): before 2.26.11u buntu1~16.04.8+esm4

binutils-multiarch (Ubuntu package): before 2.26.11u buntu1~16.04.8+esm4

CPE2.3

External links

https://ubuntu.com/security/notices/USN-5349-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.