Bug 1193929 - (CVE-2021-45078) VUL-1: CVE-2021-45078: binutils: out-of-bounds write in stab_xcoff_builtin_type() in stabs.c
(CVE-2021-45078)
VUL-1: CVE-2021-45078: binutils: out-of-bounds write in stab_xcoff_builtin_ty...
Status: IN_PROGRESS
: 1202864 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Michael Matz
Security Team bot
https://smash.suse.de/issue/317624/
CVSSv3.1:SUSE:CVE-2021-45078:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-20 16:13 UTC by Carlos López
Modified: 2022-09-12 08:33 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
oob_write (1.02 KB, application/x-object)
2022-07-01 12:28 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-20 16:13:04 UTC
rh#2033715

stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=28694

Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2033715
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45078
https://sourceware.org/bugzilla/show_bug.cgi?id=28694
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02
Comment 1 Carlos López 2021-12-20 16:13:39 UTC
Affected codestreams:
 - SUSE:Carwos:1
 - SUSE:SLE-11-SP1:Update:Teradata
 - SUSE:SLE-11-SP3:Update
 - SUSE:SLE-11-SP4:Update
 - SUSE:SLE-12:Update
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP1:Update

Also affected on openSUSE:
 - openSUSE:Factory
Comment 3 Michael Matz 2022-02-23 14:11:21 UTC
This issue is one of the normal fuzzing pseudo-CVEs of binutils.  We don't do
active fixes for these, instead they will be fixed as part of the annual toolchain
update by a binutils version update.  The next one is due in autumn 2022.
We don't fix these for SLE-11 anymore.

Background: to actually be affected by this problem (which is simply a normal bug
processing invalid input) in any security relevant
setting someone would need to feed random content from an outsider in an
uncontrolled fashion to some command line tools of binutils.  It only has a CVE
entry because the fuzzers like to collect such numbers and because noone is
disputing these CVEs.

So, officiall in progress, but there won't be anything done except the binutils
version update later this year.
Comment 4 Gianluca Gabrielli 2022-02-24 16:54:02 UTC
Hi Michael, 

could you provide a more accurate deadline about this update and which codestreams will receive such a version update? Since we consider this security bug important, we want to have this fixed on all the codestreams Carlos mentioned in comment 1.
Comment 5 Marcus Meissner 2022-02-25 16:44:44 UTC
see his email on security-team.

SUSE:SLE-12:Update and SUSE:SLE-15:Update currnetly receive yearly version updates.
Comment 6 Michael Matz 2022-02-28 16:09:42 UTC
(In reply to Gianluca Gabrielli from comment #4)
> could you provide a more accurate deadline about this update

Not really, no.  If we extrapolate from the past it will occurr between
October and December 2022.

> and which codestreams will receive such a version update?

SLE-12 and SLE-15.

> Since we consider this security bug important,

Based on which criteria is this considered important, and by whom?  I certainly
don't consider it important, based on the attack vector and how the setup must
be for that attack vector to be applicable.

> we want to have this fixed on all the codestreams
> Carlos mentioned in comment 1.
Comment 7 Marcus Meissner 2022-07-01 12:28:49 UTC
Created attachment 859957 [details]
oob_write

QA REPRODUCER

valgrind objdump -g oob_write

should NOT report "Invalid write of size 8"
Comment 15 Bogdano Arendartchuk 2022-09-12 08:33:08 UTC
*** Bug 1202864 has been marked as a duplicate of this bug. ***