Bugzilla – Bug 1126828
VUL-2: CVE-2019-9076: binutils: attempted excessive memory allocation in elf_read_notes in elf.c.
Last modified: 2020-07-27 18:17:19 UTC
CVE-2019-9076 An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9076 https://sourceware.org/bugzilla/show_bug.cgi?id=24238
Created attachment 797926 [details] oom2 QA REPRODUCER: size oom2 (will run out of memory)
From the upstream comment: ------- This is a different testcase and different out of memory condition to pr24233. Unlike pr24233 we report an out of memory error. I think that is perfectly good behaviour for user input with silly sizes, in this case a NOTE section claiming to be 0xfffff7dd00 bytes in size. While we could test for silly section sizes by comparing against file size, that doesn't work in all situations, eg. when section contents are encoded and the decoded size is much larger than the raw size. ------- I agree with this, we do report the following: size: oom2: memory exhausted so, this should be WONTFIX. Marcus?
it fits the category of bugs we will not fix for binutils. SUSE will not provide a fix for this issue since the risk to our customers posed by this is negligible.