Bug 2233949 (CVE-2022-48063)

Summary: CVE-2022-48063 binutils: excessive memory consumption in load_separate_debug_files() in dwarf.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, ailan, bdettelb, caswilli, desktop-qa-list, fjansen, fweimer, gdb-bugs, hkataria, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, keiths, kshier, mcermak, mpolacek, mprchlik, nickc, ohudlick, psegedy, rjones, sipoyare, sthirugn, tsasak, virt-maint, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An excessive memory consumption vulnerability has been found in GNU Binutils within the function load_separate_debug_files in dwarf2.c. This vulnerability could be exploited by an attacker supplying a crafted ELF file, leading to a denial of service attack due to excessive memory usage.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-09 09:15:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2233950, 2233951, 2233952, 2234089, 2234090, 2234091, 2234092, 2234093, 2234094, 2234095, 2234096, 2234097, 2234098, 2234099, 2234100, 2234101, 2234102, 2234103    
Bug Blocks: 2233947    

Description Guilherme de Almeida Suckevicz 2023-08-23 19:23:30 UTC 
GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=29924
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd
Comment 1 Guilherme de Almeida Suckevicz 2023-08-23 19:25:43 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 2233950]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 2233951]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 2233952]
Comment 4 Nick Clifton 2023-08-24 11:44:55 UTC 
(In reply to Guilherme de Almeida Suckevicz from comment #0)
> GNU Binutils before 2.40 was discovered to contain an excessive memory
> consumption vulnerability via the function load_separate_debug_files at
> dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS
> attack.

The SECURITY.txt file in the upstream GNU Binutils sources makes it clear that bugs in inspectio tools like objdump and readelf should not be considered to be security issues and hence do not qualify as a CVE.

I also fail to see how this bug could be used a part of a DNS attack, since invoking an inspection tool like objdump is not part of any normal service.