Bug 1126828 - (CVE-2019-9076) VUL-2: CVE-2019-9076: binutils: attempted excessive memory allocation in elf_read_notes in elf.c.
VUL-2: CVE-2019-9076: binutils: attempted excessive memory allocation in elf_...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P5 - None : Minor
: ---
Assigned To: Michael Matz
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-02-25 15:09 UTC by Marcus Meissner
Modified: 2020-07-27 18:17 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

oom2 (4.33 KB, application/x-core)
2019-02-25 15:10 UTC, Marcus Meissner

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-02-25 15:09:55 UTC

An issue was discovered in the Binary File Descriptor (BFD) library (aka
libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive
memory allocation in elf_read_notes in elf.c.

Comment 1 Marcus Meissner 2019-02-25 15:10:36 UTC
Created attachment 797926 [details]


size oom2

(will run out of memory)
Comment 2 Michael Matz 2019-02-25 16:03:42 UTC
From the upstream comment:

This is a different testcase and different out of memory condition to pr24233.  Unlike pr24233 we report an out of memory error.  I think that is perfectly good behaviour for user input with silly sizes, in this case a NOTE section claiming to be 0xfffff7dd00 bytes in size.  While we could test for silly section sizes by comparing against file size, that doesn't work in all situations, eg. when section contents are encoded and the decoded size is much larger than the raw size.

I agree with this, we do report the following:

size: oom2: memory exhausted

so, this should be WONTFIX.  Marcus?
Comment 3 Marcus Meissner 2019-02-26 05:26:56 UTC
it fits the category of bugs we will not fix for binutils.

SUSE will not provide a fix for this issue since the risk to our customers posed by this is negligible.