Bug 1911441 (CVE-2020-35495)

Summary: CVE-2020-35495 binutils: NULL pointer dereference in bfd_pef_parse_symbols function in bfd/pef.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adscvr, ailan, cmoore, dvlasenk, erik-fedora, fweimer, gmccullo, jakub, kaycoth, klember, kwalsh, manisandro, marcandre.lureau, mcermak, mpolacek, mprchlik, nickc, ohudlick, rjones, sadams, sipoyare, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.34 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in binutils. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from this flaw is to application availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1911442, 1911549, 1911550, 1911551, 1911552, 1912295, 1912296, 1912297, 1912298, 1912300, 1912301, 1912302, 1912303, 1912304, 1912305, 1912306, 1912307, 1912308, 1912309, 1912310, 1912311, 1912312, 1912313, 1912314, 1912315, 1912316, 1912317, 1912318, 1912319, 1912320, 1912321, 1912322, 1912323, 1912324, 1912325, 1912326, 1912327, 1912329, 1912330, 1912331, 1912332, 1912333, 1912334    
Bug Blocks: 1908372, 1911446    

Description Guilherme de Almeida Suckevicz 2020-12-29 13:33:21 UTC 
GNU Binutils before 2.34 has a NULL pointer deference vulnerability in function bfd_pef_parse_symbols (file bfd/pef.c) which could allow attackers to cause a denial of service.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25306
Comment 1 Guilherme de Almeida Suckevicz 2020-12-29 13:33:44 UTC 
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1911442]
Comment 2 Todd Cullum 2020-12-30 00:45:18 UTC 
Flaw technical summary:

In `bfd_pef_parse_symbols()` of bfd/pef.c, a call is made to `bfd_malloc()` and the return pointer is dereferenced and written to in a call to `bfd_bread()` without first checking to ensure that the pointer does not point to NULL. Due to the fact that a crafted file could cause this allocation to fail, it's possible for an attacker to trigger a NULL pointer dereference.
Comment 3 Todd Cullum 2020-12-30 00:52:38 UTC 
Statement:

binutils as shipped with Red Hat Enterprise Linux 8's GCC Toolset 10 and Red Hat Developer Toolset 10 are not affected by this flaw because the versions shipped have already received the patch.
Comment 5 Todd Cullum 2020-12-30 20:44:48 UTC 
Upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a0fb7be96e0ce79e1ae429bc1ba913e5244d537