Bug 1950478 (CVE-2020-35448)

Summary: CVE-2020-35448 binutils: Heap-based buffer overflow in bfd_getl_signed_32() in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section() in elf.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adscvr, ailan, aoliva, dvlasenk, erik-fedora, fidencio, fweimer, jakub, kaycoth, klember, ktietz, manisandro, marcandre.lureau, mcermak, mnewsome, mpolacek, mprchlik, nickc, ohudlick, rjones, sipoyare, virt-maint, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: binutils 2.36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 22:25:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1950480, 1950481, 1953649, 1953650, 1953651, 1953652, 1953653, 1953658, 1953659, 1953660    
Bug Blocks: 1950482    

Description Guilherme de Almeida Suckevicz 2021-04-16 17:35:28 UTC 
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=26574

Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679
Comment 1 Guilherme de Almeida Suckevicz 2021-04-16 17:35:57 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1950481]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1950480]
Comment 3 Marco Benatto 2021-04-26 15:02:43 UTC 
Public patch for this issue:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679
Comment 6 Marco Benatto 2021-04-26 15:42:09 UTC 
A crafted ELF object can lead to a heap-based out of bound read in _bfd_elf_slurp_secondary_reloc_section() function. The impact for this flaw is considered low as the crafted object can eventually read only few bytes past the heap allocated buffer for section headers. For an attack being successful the attacker needs to lure the victim to open the malicious ELF file. The heap data eventually leaked is related mostly to the current process for the single victim's user run not affecting other users or applications on the system, implying only in a low confidentiality impact.
Comment 9 errata-xmlrpc 2021-11-09 18:28:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4364 https://access.redhat.com/errata/RHSA-2021:4364
Comment 10 Product Security DevOps Team 2021-11-09 22:24:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35448