Bug 2233963 (CVE-2022-48065)

Summary: CVE-2022-48065 binutils: memory leak in find_abstract_instance() in dwarf2.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, ailan, bdettelb, caswilli, desktop-qa-list, fjansen, fweimer, gdb-bugs, hkataria, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, keiths, kshier, mcermak, mpolacek, mprchlik, nickc, ohudlick, psegedy, rjones, sipoyare, sthirugn, tsasak, virt-maint, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A memory leak vulnerability was found in GNU Binutils, particularly in the function find_abstract_instance() in dwarf2.c. This flaw could be exploited by an attacker who provides a specially crafted input, potentially leading to a denial of service condition due to the continuous consumption of memory resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-09 09:15:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2233964, 2233965, 2233966, 2234120, 2234121, 2234122, 2234123, 2234124, 2234125, 2234126, 2234127, 2234128, 2234129, 2234130, 2234131, 2234132, 2234133, 2234134    
Bug Blocks: 2233947    

Description Guilherme de Almeida Suckevicz 2023-08-23 19:59:47 UTC 
GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=29925
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a
Comment 1 Guilherme de Almeida Suckevicz 2023-08-23 20:01:42 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 2233964]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 2233965]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 2233966]
Comment 4 Nick Clifton 2023-08-24 11:58:17 UTC 
(In reply to Guilherme de Almeida Suckevicz from comment #0)
> GNU Binutils before 2.40 was discovered to contain a memory leak
> vulnerability var the function find_abstract_instance in dwarf2.c.

The SECURITY.txt file found in the upstream GNU Binutils sources makes it clear that bug in inspection tools like nm are not considered to be security issues, and hence do not qualify for CVE treatment.