Bug 1680669 (CVE-2019-9075)

Summary: CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, dbaker, dvlasenk, fweimer, jakub, jokerman, law, mprchlik, nickc, ohudlick, sipoyare, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:19:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1680670, 1691070, 1691071    
Bug Blocks: 1680680    

Description Dhananjay Arunesh 2019-02-25 13:47:22 UTC 
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=24236
Comment 1 Dhananjay Arunesh 2019-02-25 13:48:19 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1680670]
Comment 2 Scott Gayou 2019-03-20 19:17:08 UTC 
```
==6814== Memcheck, a memory error detector
==6814== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6814== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==6814== Command: size poc
==6814== 
==6814== Invalid write of size 1
==6814==    at 0x4F27D5C: _bfd_archive_64_bit_slurp_armap (archive64.c:126)
==6814==    by 0x4E884A7: bfd_slurp_armap (archive.c:1156)
==6814==    by 0x4E88174: bfd_generic_archive_p (archive.c:864)
==6814==    by 0x4E8F924: bfd_check_format_matches (format.c:352)
==6814==    by 0x10AFA2: display_file (size.c:403)
==6814==    by 0x10A3F5: main (size.c:240)
==6814==  Address 0x5773328 is 0 bytes after a block of size 4,472 alloc'd
==6814==    at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
==6814==    by 0x4F3DD21: _objalloc_alloc (objalloc.c:143)
==6814==    by 0x4E970DD: bfd_alloc (opncls.c:949)
==6814==    by 0x4E975CC: bfd_zalloc (opncls.c:998)
==6814==    by 0x4F27C9F: _bfd_archive_64_bit_slurp_armap (archive64.c:98)
==6814==    by 0x4E884A7: bfd_slurp_armap (archive.c:1156)
==6814==    by 0x4E88174: bfd_generic_archive_p (archive.c:864)
==6814==    by 0x4E8F924: bfd_check_format_matches (format.c:352)
==6814==    by 0x10AFA2: display_file (size.c:403)
==6814==    by 0x10A3F5: main (size.c:240)
==6814== 
==6814== 
==6814== HEAP SUMMARY:
==6814==     in use at exit: 0 bytes in 0 blocks
==6814==   total heap usage: 90 allocs, 90 frees, 31,320 bytes allocated
==6814== 
==6814== All heap blocks were freed -- no leaks are possible
==6814== 
==6814== For counts of detected and suppressed errors, rerun with: -v
==6814== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

and

```
size poc
double free or corruption (!prev)
Aborted (core dumped)
```
Comment 6 Product Security DevOps Team 2020-05-20 21:19:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9075