Bug 2167467 (CVE-2023-25584)

Summary: CVE-2023-25584 binutils: Out of bounds read in parse_module function in bfd/vms-alpha.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, bdettelb, caswilli, dffrench, dkuc, fjansen, fweimer, gdb-bugs, gzaronik, hbraun, hkataria, jburrell, jkoehler, jmitchel, jtanner, jwon, kaycoth, keiths, kshier, mcermak, micjohns, mpolacek, mprchlik, ngough, nickc, ohudlick, rgodfrey, rjones, sipoyare, sthirugn, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2174117, 2174118, 2174119, 2174120, 2174121, 2174122, 2174123, 2174124, 2174125, 2174180, 2174181    
Bug Blocks: 2160830    

Description Pedro Sampaio 2023-02-06 17:27:53 UTC 
Out of bounds read flaws were found in Binutils in parse_module function in bfd/vms-alpha.c

Upstream fix:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44
Comment 1 Siddhesh Poyarekar 2023-02-06 18:41:04 UTC 
I don't think we build this in RHEL/Fedora binutils configurations.  Nick, can you confirm?
Comment 3 Nick Clifton 2023-02-07 12:20:31 UTC 
(In reply to Siddhesh Poyarekar from comment #1)
> I don't think we build this in RHEL/Fedora binutils configurations.  Nick,
> can you confirm?

Almost.  We do not build it for Fedora (rawhide/f37/f36) or RHEL-9.
But we do build it for RHEL-8, RHEL-7 and RHEL-6.  This is because,
for those targets, there is a problem with the configure script for
the gold linker when the s390x architecture is targeted.  In order 
to work around this problem I configure the s390x binutils with the
--enable-targets=all option, which then includes support for vms-alpha.

There is a solution for this workaround which removes the need to
build for all targets, and it could be backported to RHEL 8/7/6,
but at the time I felt that since the workaround solves the problem,
creating an update was just creating extra work.
Comment 9 Siddhesh Poyarekar 2023-03-01 17:35:00 UTC 
This does not affect gdb in RHEL or Fedora; gdb does not have or build the affected code.