Bug 1156272 (CVE-2014-8484)

Summary: CVE-2014-8484 binutils: invalid read flaw in libbfd
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dan, dhowells, drieden, jakub, kanderso, law, lkundrak, mcermak, mprchlik, nickc, nobody+bgollahe, ohudlick, pfrankli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.25 Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was found in the way the strings utility processed certain files. If a user were tricked into running the strings utility on a specially crafted file, it could cause the strings executable to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:35:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1168281, 1168302, 1172710    
Bug Blocks: 1156276, 1210268    

Description Murray McAllister 2014-10-24 03:59:20 UTC 
Michal Zalewski reported an invalid read flaw in libbfd, used by, for example, the "strings" utility. Running "strings" on a malicious file could cause "strings" to crash:

http://seclists.org/oss-sec/2014/q4/424

It is unclear yet if it is possible to leverage this issue for more than a crash.

Dave Rutherford noted on oss-security that using certain web browsers to save a malicious file could trigger this issue and cause the browser to crash:

http://seclists.org/oss-sec/2014/q4/426
Comment 2 Jeff Law 2014-10-24 15:07:56 UTC 
I haven't looked deeply at this, but if the problem is truely in the srec code rather than higher up in the call chain, then I'd consider this pretty low priority.  srecords aren't really used anymore and one could easily argue they should not be enabled by default anymore -- they're strictly for ancient (think 1970s/1980s) embedded systems.

I wouldn't be terribly surprised if fuzzers found bugs in other ancient bfd targets either.
Comment 3 Jeff Law 2014-10-24 15:14:21 UTC 
One more note, upstream already has a patch ready that fixes this problem and it's already been pushed into Rawhide as well.
Comment 4 Nick Clifton 2014-10-24 15:32:21 UTC 
Hi Guys,

  The patch was not in Rawhide, but it is in upstream FSF sources.  I have backported the patch and it is now available in:

 binutils-2.24-24.fc22
 binutils-2.24-23.fc21
 binutils-2.23.88.0.1-19.fc20

Cheers
  Nick
Comment 5 Murray McAllister 2014-10-27 02:56:44 UTC 
(In reply to Nick Clifton from comment #4)
> Hi Guys,
> 
>   The patch was not in Rawhide, but it is in upstream FSF sources.  I have
> backported the patch and it is now available in:
> 
>  binutils-2.24-24.fc22
>  binutils-2.24-23.fc21
>  binutils-2.23.88.0.1-19.fc20
> 
> Cheers
>   Nick

Thanks!
Comment 6 Murray McAllister 2014-10-27 02:57:29 UTC 
MITRE assigned CVE-2014-8484 to this issue (upstream https://sourceware.org/bugzilla/show_bug.cgi?id=17509):

http://www.openwall.com/lists/oss-security/2014/10/26/2
Comment 7 Jeff Law 2014-10-27 16:24:26 UTC 
FWIW, the controlled write in the ELF code that was reported over the weekend seems far more serious to me than issues in the srec code.
Comment 8 Murray McAllister 2014-10-28 03:08:15 UTC 
(In reply to Jeff Law from comment #7)
> FWIW, the controlled write in the ELF code that was reported over the
> weekend seems far more serious to me than issues in the srec code.

Agree, that one was assigned CVE-2014-8485:

https://bugzilla.redhat.com/show_bug.cgi?id=1157276
Comment 9 Nick Clifton 2014-10-28 11:28:06 UTC 
I have just added a second patch to the binutils RPM for this BZ.  This patch addresses a second seg-fault that can be triggered by corrupt ELF binaries, an example of which was attached to the upstream PR 17512: https://sourceware.org/bugzilla/show_bug.cgi?id=17512.

This patch is in:

 binutils-2.24-26.fc22
 binutils-2.24-25.fc21
 binutils-2.23.88.0.1-21.fc20

Also the patches are now in the FSF master and 2.25 binutils branches, so the fixes should propagate to the rest of the Linux world fairly soon.
Comment 10 Vasyl Kaigorodov 2014-11-26 14:21:47 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 14 Vasyl Kaigorodov 2015-05-13 11:14:36 UTC 
Upstream bugreport: https://sourceware.org/bugzilla/show_bug.cgi?id=17509
Upstream patch for this:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f
Comment 16 errata-xmlrpc 2015-11-19 03:32:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html