1680669 – (CVE-2019-9075) CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c

Bug 1680669 (CVE-2019-9075) - CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c

Summary: CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_6...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-9075
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1680670 1691070 1691071
Blocks:	1680680
TreeView+	depends on / blocked

Reported:	2019-02-25 13:47 UTC by Dhananjay Arunesh
Modified:	2023-10-30 09:26 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-20 21:19:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-02-25 13:47:22 UTC

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=24236

Comment 1 Dhananjay Arunesh 2019-02-25 13:48:19 UTC

Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1680670]

Comment 2 Scott Gayou 2019-03-20 19:17:08 UTC

```
==6814== Memcheck, a memory error detector
==6814== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6814== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==6814== Command: size poc
==6814== 
==6814== Invalid write of size 1
==6814==    at 0x4F27D5C: _bfd_archive_64_bit_slurp_armap (archive64.c:126)
==6814==    by 0x4E884A7: bfd_slurp_armap (archive.c:1156)
==6814==    by 0x4E88174: bfd_generic_archive_p (archive.c:864)
==6814==    by 0x4E8F924: bfd_check_format_matches (format.c:352)
==6814==    by 0x10AFA2: display_file (size.c:403)
==6814==    by 0x10A3F5: main (size.c:240)
==6814==  Address 0x5773328 is 0 bytes after a block of size 4,472 alloc'd
==6814==    at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
==6814==    by 0x4F3DD21: _objalloc_alloc (objalloc.c:143)
==6814==    by 0x4E970DD: bfd_alloc (opncls.c:949)
==6814==    by 0x4E975CC: bfd_zalloc (opncls.c:998)
==6814==    by 0x4F27C9F: _bfd_archive_64_bit_slurp_armap (archive64.c:98)
==6814==    by 0x4E884A7: bfd_slurp_armap (archive.c:1156)
==6814==    by 0x4E88174: bfd_generic_archive_p (archive.c:864)
==6814==    by 0x4E8F924: bfd_check_format_matches (format.c:352)
==6814==    by 0x10AFA2: display_file (size.c:403)
==6814==    by 0x10A3F5: main (size.c:240)
==6814== 
==6814== 
==6814== HEAP SUMMARY:
==6814==     in use at exit: 0 bytes in 0 blocks
==6814==   total heap usage: 90 allocs, 90 frees, 31,320 bytes allocated
==6814== 
==6814== All heap blocks were freed -- no leaks are possible
==6814== 
==6814== For counts of detected and suppressed errors, rerun with: -v
==6814== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

and

```
size poc
double free or corruption (!prev)
Aborted (core dumped)
```

Comment 6 Product Security DevOps Team 2020-05-20 21:19:05 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9075

Note You need to log in before you can comment on or make changes to this bug.