Bug 1061630 (CVE-2017-15025)

Summary: VUL-0: CVE-2017-15025: binutils: denial of service in decode_line_info in dwarf2.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Michael Matz <matz>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, jsegitz, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/192846/
Whiteboard: CVSSv2:SUSE:CVE-2017-15025:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:SUSE:CVE-2017-15025:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-15025:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2017-15025:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: QA Reproducer

Description Alexander Bergmann 2017-10-04 15:28:21 UTC

decode_line_info in dwarf2.c in the Binary File Descriptor (BFD)
library (aka libbfd), as distributed in GNU Binutils 2.29, allows
remote attackers to cause a denial of service (divide-by-zero error and
application crash) via a crafted ELF file.

Upstream bug:

Upstream fix:

Comment 1 Alexander Bergmann 2017-10-04 15:30:22 UTC
Created attachment 743048 [details]
QA Reproducer

#> nm -A -a -l -S -s --special-syms --synthetic -D 00372-binutils-FPE-decode_line_info
Floating point exception (core dumped)
Comment 2 Johannes Segitz 2018-06-18 11:21:07 UTC
SUSE will not provide a fix for this issue since the risk to our customers posed by it is negligible.