Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1162655 - (CVE-2014-8737) CVE-2014-8737 binutils: directory traversal vulnerability
CVE-2014-8737 binutils: directory traversal vulnerability
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20141104,repor...
: Security
Depends On: 1162662 1162656 1162657 1162658 1162659 1162660 1162661 1162664 1162665 1168281 1168302 1172710
Blocks: 1156276 1210268
  Show dependency treegraph
 
Reported: 2014-11-11 07:46 EST by Vasyl Kaigorodov
Modified: 2017-01-20 04:40 EST (History)
24 users (show)

See Also:
Fixed In Version: binutils 2.25
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the strip and objcopy utilities. A specially crafted file could cause strip or objdump to overwrite an arbitrary file writable by the user running either of these utilities.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (5.87 KB, patch)
2014-11-11 16:07 EST, Nick Clifton 		no flags Details | Diff
Remove resource leak from binutils-th1162655.patch (740 bytes, patch)
2015-10-16 11:08 EDT, Nick Clifton 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2079 normal SHIPPED_LIVE Moderate: binutils security, bug fix, and enhancement update 2015-11-19 02:41:11 EST

  None (edit)
Description Vasyl Kaigorodov 2014-11-11 07:46:51 EST 
Directory traversal vulnerability allowing random files deleteion/creation was reported [1] in binutils.
Upstream patch is in [2].
Reproducer is available in https://sourceware.org/bugzilla/show_bug.cgi?id=17552#c0

[1]: https://sourceware.org/bugzilla/show_bug.cgi?id=17552
[2]: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42
Comment 1 Vasyl Kaigorodov 2014-11-11 07:48:24 EST 
Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1162660]
Affects: epel-all [bug 1162665]
Comment 2 Vasyl Kaigorodov 2014-11-11 07:48:29 EST 
Created avr-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1162657]
Affects: epel-all [bug 1162662]
Comment 3 Vasyl Kaigorodov 2014-11-11 07:48:33 EST 
Created arm-none-eabi-binutils-cs tracking bugs for this issue:

Affects: fedora-all [bug 1162656]
Comment 4 Vasyl Kaigorodov 2014-11-11 07:48:35 EST 
Created msp430-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1162661]
Comment 5 Vasyl Kaigorodov 2014-11-11 07:48:38 EST 
Created cross-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1162659]
Affects: epel-all [bug 1162664]
Comment 6 Vasyl Kaigorodov 2014-11-11 07:48:41 EST 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1162658]
Comment 8 Nick Clifton 2014-11-11 16:07:11 EST 
Created attachment 956421 [details]
Proposed patch

Hi Jeff, Hi Patsy,

  I have uploaded a specially crafted patch that combines both of the fixes for PR 17552, built against the RHEL 7.1 sources.  I hope that this helps.

Cheers
  Nick
Comment 9 Jeff Law 2014-11-12 17:09:12 EST 
Thanks Nick.  I'm watching this very closely as we have a small window where we can fix this for RHEL 7.1.  However, right now, this stuff is not slated for 7.1 by nature of no RHEL BZs from the security team, which is probably an artifact of these being marked as med/med or lower from an security standpoint.

My preference is to fix this and the controlled write in the BFD ELF code for RHEL 7.1 and RHEL 6.7.  I do _not_ want to issue z-streams for these issues if we can avoid it.
Comment 10 Vasyl Kaigorodov 2014-11-26 10:08:02 EST 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 12 Fedora Update System 2014-12-05 21:36:48 EST 
arm-none-eabi-binutils-cs-2014.05.28-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2014-12-05 21:40:19 EST 
avr-binutils-2.24-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-12-06 05:03:48 EST 
avr-binutils-2.24-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-12-06 05:08:38 EST 
arm-none-eabi-binutils-cs-2014.05.28-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-12-06 23:37:14 EST 
avr-binutils-2.24-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2014-12-06 23:39:14 EST 
arm-none-eabi-binutils-cs-2014.05.28-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-01-21 18:07:12 EST 
binutils-2.24-30.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Vasyl Kaigorodov 2015-05-13 06:05:35 EDT 
Reproducer is available in https://sourceware.org/bugzilla/show_bug.cgi?id=17552#c0
Comment 22 Nick Clifton 2015-10-16 11:08 EDT 
Created attachment 1083729 [details]
Remove resource leak from binutils-th1162655.patch

Note - the patch for this BZ inadvertently introduced a resource leak into the binutils sources.  This leak is detected by the covscan tool.

What can happen is that a buffer of 8192 bytes is allocated but not freed.  This only happens when an illegal archive is being processed, and in this case the program will exit very shortly afterwards.  So the resource will not prevent the proper functioning of the program on valid archives, and it will not prevent the program from reporting and exiting (cleanly) on invalid archives.

Since this problem has been detected so late in the 7.2 release process, a fix for it is being delayed until 7.3.  The update to fix the patch is uploaded here.

Cheers
  Nick
Comment 23 Jeff Law 2015-10-19 13:25:11 EDT 
Makes sense to me.
Comment 24 errata-xmlrpc 2015-11-18 22:33:44 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.