Bug 2234013 (CVE-2022-47673)

Summary: CVE-2022-47673 binutils: out-of-bounds read in parse_module() in bfd/vms-alpha.c via addr2line
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, ailan, bdettelb, caswilli, desktop-qa-list, fjansen, fweimer, gdb-bugs, hkataria, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, keiths, kshier, mcermak, mpolacek, mprchlik, nickc, ohudlick, psegedy, rjones, sipoyare, sthirugn, tsasak, virt-maint, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-09 09:18:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2234017, 2234018, 2234019, 2234285, 2234286, 2234287, 2234288, 2234289, 2234290, 2234291, 2234292, 2234293, 2234294, 2234295, 2234296, 2234297, 2234298, 2234299    
Bug Blocks: 2233947    

Description Guilherme de Almeida Suckevicz 2023-08-23 21:20:47 UTC 
An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=29876
Comment 1 Guilherme de Almeida Suckevicz 2023-08-23 21:24:26 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 2234017]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 2234018]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 2234019]
Comment 4 Nick Clifton 2023-08-24 13:00:08 UTC 
(In reply to Guilherme de Almeida Suckevicz from comment #0)
> An issue was discovered in Binutils addr2line before 2.39.3, function
> parse_module contains multiple out of bound reads which may cause a denial
> of service or other unspecified impacts.

The SECURITY.txt file found in the upstream GNU Binutils sources makes it clear that bug in inspection tools like addr2line are not considered to be security issues, and hence do not qualify for CVE treatment.