Bug 1831873 (CVE-2019-12972)

Summary: CVE-2019-12972 binutils: out-of-bounds read in setup_group in bfd/elf.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, dvlasenk, erik-fedora, fidencio, fweimer, jakub, klember, manisandro, marcandre.lureau, mcermak, mnewsome, mpolacek, mprchlik, nickc, ohudlick, rjones, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.33 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read was discovered in Binutils while it processes a malformed ELF relocatable file (.o file). A victim user who uses Binutils tools (size, gdb, readelf) to analyze untrusted binaries, may be vulnerable to a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 09:53:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1835138, 1835139, 1835156, 1835157, 1835158, 1835159, 1835183, 1835184    
Bug Blocks: 1831874    

Description Pedro Sampaio 2020-05-05 19:40:20 UTC 
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\0' character.

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=24689

Upstream fix:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=14b2a8e4244a29208ad430167860a0f01b20f215
Comment 1 Riccardo Schirone 2020-05-12 16:13:19 UTC 
The out-of-bounds read happens in setup_group() in elf.c, when called by _bfd_elf_make_section_from_shdr(). This is due to too loose checks in elf_object_p() in elfcode.h, which accepts e_shstrndx pointing to a section that is not SHT_STRTAB.
Comment 3 Riccardo Schirone 2020-05-13 08:36:50 UTC 
Statement:

Impact of the flaw set to Low because it is not considered a common use case to analyze and debug untrusted binaries.
Comment 4 Riccardo Schirone 2020-05-13 08:39:45 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1835138]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1835139]