Bug 1739490 (CVE-2019-14250)

Summary: CVE-2019-14250 binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahajkova, avi.kivity, davejohansen, dmalcolm, dvlasenk, fweimer, jakub, jwakely, mbenatto, mcermak, mnewsome, mpolacek, mprchlik, msebor, nickc, ohudlick, security-response-team, trupti_pardeshi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:47:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1739491, 1744174, 1744175, 1744176, 1744177, 1744178, 1744179, 1744182, 1744183, 1744192    
Bug Blocks: 1739492    

Description Marian Rehak 2019-08-09 12:41:38 UTC 
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.

Upstream Issue:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924
Comment 1 Marian Rehak 2019-08-09 12:41:52 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1739491]
Comment 6 Marco Benatto 2019-08-21 13:32:27 UTC 
Upstream patch for gcc:

https://gcc.gnu.org/viewcvs/gcc/branches/gcc-8-branch/libiberty/simple-object-elf.c?view=patch&r1=273794&r2=273793&pathrev=273794

upstream commit for binutils:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f211b8c0b91fc7b1657079a495f05a9a4d957821

On the binutils scenario the patch synchronizes with gcc mainline so it includes much more changes than we might expect.
The changelog entry for that on the commit message is:

 * simple-object-elf.c (simple_object_elf_match): Check zero value shstrndx.
            This fixes a Bug 90924.
Comment 10 Marco Benatto 2019-08-21 13:49:52 UTC 
Created gcc tracking bugs for this issue:

Affects: fedora-all [bug 1744192]
Comment 12 Marco Benatto 2019-08-21 14:32:31 UTC 
Statement:

This issue resides on libiberty code, libiberty is part of GNU project and contains several utilities being distributed by gcc and binutils packages. This flaws affects binutils versions as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and also gcc versions as shipped with Red Hat Enterprise Linux 5, 6 ,7 and 8. Versions of gcc shipped with Red Hat Developers Tool Set 7 and 8 are also affected. This flaw was scored with 'Low' security impact for both binutils and gcc packages by Red Hat Product Security Team.
Comment 13 Marco Benatto 2019-08-21 14:47:40 UTC 
When reading ELF files libiberty parses the ELF structure to load its sections on memory. A crafted ELF file with invalid Section Header index leads to buffer overflow at simple_object_elf_find_sections() due to the lack of input validation. The overflow may lead to memory corruption and further out of bands read causing DoS.
Comment 14 Trupti Pardeshi 2020-05-27 09:03:39 UTC 
Can someone please update on whether this defect will be fixed in gcc of RHEL 5 and RHEL 6? And if yes, in which gcc version?

Any heads up are appreciated.

Thanks in advance.

Best Regards,
Comment 15 Nick Clifton 2020-05-27 10:15:18 UTC 
(In reply to Trupti Pardeshi from comment #14)
> Can someone please update on whether this defect will be fixed in gcc of
> RHEL 5 and RHEL 6? And if yes, in which gcc version?

Yes they are affected.  (Although to be clear it is the binutils packages in RHEL 5 and RHEL 6 which are most affected by the problem.  The bug is in the libiberty library which is maintained as part of the GCC project, but which is used extensively by the binutils project).
 
Currently there are no plans to fix the bug in RHEL 5 or RHEL 6.

The bug is fixed however in the Developer Toolset 9 release of the binutils which is available for RHEL 6.
Comment 16 Trupti Pardeshi 2020-05-27 11:04:19 UTC 
(In reply to Nick Clifton from comment #15)
> (In reply to Trupti Pardeshi from comment #14)
> > Can someone please update on whether this defect will be fixed in gcc of
> > RHEL 5 and RHEL 6? And if yes, in which gcc version?
> 
> Yes they are affected.  (Although to be clear it is the binutils packages in
> RHEL 5 and RHEL 6 which are most affected by the problem.  The bug is in the
> libiberty library which is maintained as part of the GCC project, but which
> is used extensively by the binutils project).
>  
> Currently there are no plans to fix the bug in RHEL 5 or RHEL 6.
> 
> The bug is fixed however in the Developer Toolset 9 release of the binutils
> which is available for RHEL 6.

Thank you so much Nick for prompt and clear reply.

PS: Just a kind thought that if GCC of RHEL 5 and RHEL 6 are affected, then those aren't they mentioned in affected packages.
https://access.redhat.com/security/cve/cve-2019-14250