Bug 1686781 (CVE-2018-14038)

Summary: CVE-2018-14038 libbfd: remote dos via crafted file in function aout_32_swap_std_reloc_out in aoutx.h
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aoliva, dbaker, dvlasenk, fweimer, gdb-bugs, jakub, jan.kratochvil, jokerman, keiths, law, mcermak, mnewsome, mpolacek, mprchlik, nickc, ohudlick, palves, rschiron, sergiodj, sthangav, tborcin, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-12 17:26:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1686782    
Bug Blocks: 1686787    

Description Dhananjay Arunesh 2019-03-08 10:04:32 UTC 
The aout_32_swap_std_reloc_out function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils before 2.31, allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted file, as demonstrated by objcopy.

References:
http://git.hunter-ht.cn/zhanggen/objcopy_crash_input_1
https://sourceware.org/bugzilla/show_bug.cgi?id=23405
Comment 1 Dhananjay Arunesh 2019-03-08 10:06:04 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1686782]
Comment 3 Riccardo Schirone 2019-03-12 17:25:29 UTC 
This appears to be a duplicate of bug 1553115 (CVE-2018-7642) according to upstream.
Also, this can be seen by looking at the stack traces, which are the same:

```
Program received signal SIGSEGV, Segmentation fault.
0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8, abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
1971      asection *output_section = sym->section->output_section;
(gdb) bt
#0  0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8, abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
#1  aout_32_squirt_out_relocs (abfd=0xf5b03970, section=0xf5903d48) at /work/binutils-gdb/bfd/aoutx.h:2444
#2  0x0849ae05 in i386linux_write_object_contents (abfd=0xf5b03970) at /work/binutils-gdb/bfd/i386linux.c:77
#3  0x081a9940 in bfd_close (abfd=0xf5b03970) at /work/binutils-gdb/bfd/opncls.c:731
#4  0x08080bbe in copy_file (input_filename=input_filename@entry=0xffffd8ef "out/slave/crashes/id:000125,sig:06,src:003346+002348,op:splice,rep:8", output_filename=output_filename@entry=0xf6500b80 "out/slave/crashes/stv31c0r", input_target=<optimized out>, 
    output_target=0x87f6320 "a.out-i386-linux", input_arch=0x0) at /work/binutils-gdb/binutils/objcopy.c:3530
#5  0x0805b429 in copy_main (argv=<optimized out>, argc=<optimized out>) at /work/binutils-gdb/binutils/objcopy.c:5478
#6  main (argc=2, argv=0xffffd7c4) at /work/binutils-gdb/binutils/objcopy.c:5582
```
Comment 4 Riccardo Schirone 2019-03-12 17:26:39 UTC 

*** This bug has been marked as a duplicate of bug 1553115 ***
Comment 5 Riccardo Schirone 2019-03-12 17:30:09 UTC 
Request to mark this CVE as duplicate of CVE-2018-7642 has been submitted to Mitre.
Comment 7 Doran Moppert 2020-02-10 04:36:40 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2018-7642. Please see https://access.redhat.com/security/cve/CVE-2018-7642 for information about affected products and security errata.