Bug 1061234 - (CVE-2017-14940) VUL-0: CVE-2017-14940: binutils: denial of service (NULL pointer dereference) in scan_unit_for_symbols in dwarf2.c
(CVE-2017-14940)
VUL-0: CVE-2017-14940: binutils: denial of service (NULL pointer dereference)...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michael Matz
Security Team bot
https://smash.suse.de/issue/192698/
CVSSv3:SUSE:CVE-2017-14940:5.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-02 08:53 UTC by Alexander Bergmann
Modified: 2020-04-01 16:59 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (30.52 KB, application/x-executable)
2018-02-19 15:11 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-10-02 08:53:17 UTC
CVE-2017-14940

scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library
(aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to
cause a denial of service (NULL pointer dereference and application crash) via a
crafted ELF file.

Upstream bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=22166
https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c/

Upstream fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14940
http://seclists.org/oss-sec/2017/q3/594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14940
Comment 1 Alexander Bergmann 2017-10-02 08:54:44 UTC
Check bug#1061229 comment 1 for reproducer.
Comment 2 Michael Matz 2017-10-02 14:07:03 UTC
The fix (and textual report) actually correspond with
https://sourceware.org/bugzilla/show_bug.cgi?id=22167
(not 22166).  Is the reproducer nevertheless correct?
Comment 3 Alexander Bergmann 2018-02-19 15:11:16 UTC
Created attachment 760661 [details]
QA Reproducer

#> nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D 1225.crashes.bin
1225.crashes.bin:                 w _ITM_deregisterTMCloneTable
1225.crashes.bin:                 w _ITM_registerTMCloneTable
1225.crashes.bin:                 w _Jv_RegisterClasses
1225.crashes.bin:                 U _ZNSt8ios_base4InitC1Ev@GLIBCXX_3.4
1225.crashes.bin:0000000000400670 T _ZNSt8ios_base4InitC1Ev@plt
1225.crashes.bin:                 U _ZNSt8ios_base4InitD1Ev@GLIBCXX_3.4
1225.crashes.bin:00000000004006a0 T _ZNSt8ios_base4InitD1Ev@plt
1225.crashes.bin:0000000000601080 0000000000000110 B _ZSt4cout@@GLIBCXX_3.4nm: Dwarf Error: mangled line number section (bad file number).
nm: Dwarf Error: Info pointer extends beyond end of attributes
nm: Dwarf Error: Info pointer extends beyond end of attributes
nm: Dwarf Error: Info pointer extends beyond end of attributes
Segmentation fault (core dumped)
Comment 4 Alexander Bergmann 2018-02-19 15:12:10 UTC
The reproducer in comment 3 comes from upstream 22167.
Comment 5 Johannes Segitz 2018-06-18 10:12:18 UTC
SUSE will not provide a fix for this issue since the risk to our customers posed by it is negligible.