Bug 2344896

Summary: CVE-2025-0840 binutils: GNU Binutils objdump.c disassemble_bytes stack-based overflow [fedora-41]
Product: [Fedora] Fedora Reporter: Michal Findra <mfindra>
Component: binutilsAssignee: Nick Clifton <nickc>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 41CC: dvlasenk, fweimer, jakub, josmyers, nickc, sipoyare, suraj.ghimire7, yahmad
Target Milestone: ---Keywords: Reopened, Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["c0fb1238-9288-48e6-8188-e3da9a733d19"]}
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-18 10:43:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2342875    

Description Michal Findra 2025-02-11 13:42:22 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2342875

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 2 Nick Clifton 2025-03-17 16:04:19 UTC 
I would like to contest reopening this bug.

First of all the SECURITY.txt document that ships as part of the binutils sources makes it clear that bugs in inspection tools like objdump are not considered to be security issues as they cannot affect the generation of good binaries.

Second of all the CVE suggests that this flaw can be triggered remotely, but it is hard to see how this is possible.  The objdump program has no network connectivity, and I fail to see how a remote attack could make use of it.

Finally all that the flaw can do is to cause the objdump program to fail with an illegal memory access.  Since the program is not intended to remain in-memory or provide any kind of service, having it terminate will not affect any other process or user.
Comment 3 Nick Clifton 2025-03-18 10:43:06 UTC 
I am going to close this BZ.

I feel that the bug does not really meet the criteria for a CVE.  Or at least a CVE that needs to be fixed here.  

The current rawhide binutils include that patch that fixes the bug, and I do not feel that it is worth backporting the patch to other Fedora releases since the problem can only be triggered by corrupt input, not valid files.