Bug 1647415 (CVE-2018-18606)

Summary: CVE-2018-18606 binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dbaker, dvlasenk, erik-fedora, fweimer, jakub, jokerman, kanderso, klember, mcermak, mnewsome, mpolacek, nickc, ohudlick, rjones, sthangav, trankin, virt-maint, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:21:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1647416, 1647417, 1647418, 1647419, 1654466, 1654467, 1654469    
Bug Blocks: 1647427    

Description Laura Pardo 2018-11-07 12:43:18 UTC 
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section in the merge_strings function in merge.c when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld. 


References:
https://sourceware.org/bugzilla/show_bug.cgi?id=23806 

Upstream Patch:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc
Comment 1 Laura Pardo 2018-11-07 12:44:19 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1647417]


Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1647416]
Comment 3 Nick Clifton 2018-11-09 16:56:51 UTC 
This bug can only triggered by using specially crafted, corrupt input files.
As such it will not normally be encountered by users, and fixing it is a low
priority.  The upstream GNU Binutils sources have already been fixed, and this
fix will be brought in with the next rebase to rawhide.  Postponing an update
to this BZ until then.
Comment 4 Nick Clifton 2018-11-09 16:58:44 UTC 
Ahh - please ignore comment #3, it was meant for BZ 1647417
Comment 7 Scott Gayou 2018-11-28 20:53:32 UTC 
Low impact, easy to reproduce.