Bug 1680672 (CVE-2019-9076)

Summary: CVE-2019-9076 binutils: excessive memory allocation in function elf_read_notes in elf.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, aoliva, dbaker, dvlasenk, fweimer, jakub, jokerman, law, mprchlik, nickc, ohudlick, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-20 19:29:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1680673    
Bug Blocks: 1680680    

Description Dhananjay Arunesh 2019-02-25 13:52:00 UTC 
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=24238
Comment 1 Dhananjay Arunesh 2019-02-25 13:52:15 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1680673]
Comment 2 Nick Clifton 2019-02-26 12:09:25 UTC 
Note - this is not a real CVE.  A corrupt input file is causing one of the binutils 
tools to attempt to allocate more memory than is available on the host machine.  
Under normal circumstances this allocation will fail, the tool will detect the 
failure and correctly report an "out of memory" error.  The CVE was filed against a 
version of the tool which had been compiled with address sanitization enabled, which
meant that the over-large memory allocation was caught and flagged as an error
before the tool could handle it.
Comment 3 Scott Gayou 2019-03-20 19:28:38 UTC 
Looks to be the same style of "issue" as https://bugzilla.redhat.com/show_bug.cgi?id=1680660

I.e., looks correct, seems like an invalid CVE. NOTABUG!