Bug 1686781 (CVE-2018-14038) - CVE-2018-14038 libbfd: remote dos via crafted file in function aout_32_swap_std_reloc_out in aoutx.h
Summary: CVE-2018-14038 libbfd: remote dos via crafted file in function aout_32_swap_s...
Keywords:
Status: CLOSED DUPLICATE of bug 1553115
Alias: CVE-2018-14038
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1686782
Blocks: 1686787
TreeView+ depends on / blocked
 
Reported: 2019-03-08 10:04 UTC by Dhananjay Arunesh
Modified: 2021-02-16 22:17 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-12 17:26:39 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-03-08 10:04:32 UTC 
The aout_32_swap_std_reloc_out function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils before 2.31, allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted file, as demonstrated by objcopy.

References:
http://git.hunter-ht.cn/zhanggen/objcopy_crash_input_1
https://sourceware.org/bugzilla/show_bug.cgi?id=23405
Comment 1 Dhananjay Arunesh 2019-03-08 10:06:04 UTC 
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1686782]
Comment 3 Riccardo Schirone 2019-03-12 17:25:29 UTC 
This appears to be a duplicate of bug 1553115 (CVE-2018-7642) according to upstream.
Also, this can be seen by looking at the stack traces, which are the same:

```
Program received signal SIGSEGV, Segmentation fault.
0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8, abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
1971      asection *output_section = sym->section->output_section;
(gdb) bt
#0  0x084cf65c in aout_32_swap_std_reloc_out (natptr=0xf590528c, g=0xf4b03fe8, abfd=<optimized out>) at /work/binutils-gdb/bfd/aoutx.h:1971
#1  aout_32_squirt_out_relocs (abfd=0xf5b03970, section=0xf5903d48) at /work/binutils-gdb/bfd/aoutx.h:2444
#2  0x0849ae05 in i386linux_write_object_contents (abfd=0xf5b03970) at /work/binutils-gdb/bfd/i386linux.c:77
#3  0x081a9940 in bfd_close (abfd=0xf5b03970) at /work/binutils-gdb/bfd/opncls.c:731
#4  0x08080bbe in copy_file (input_filename=input_filename@entry=0xffffd8ef "out/slave/crashes/id:000125,sig:06,src:003346+002348,op:splice,rep:8", output_filename=output_filename@entry=0xf6500b80 "out/slave/crashes/stv31c0r", input_target=<optimized out>, 
    output_target=0x87f6320 "a.out-i386-linux", input_arch=0x0) at /work/binutils-gdb/binutils/objcopy.c:3530
#5  0x0805b429 in copy_main (argv=<optimized out>, argc=<optimized out>) at /work/binutils-gdb/binutils/objcopy.c:5478
#6  main (argc=2, argv=0xffffd7c4) at /work/binutils-gdb/binutils/objcopy.c:5582
```
Comment 4 Riccardo Schirone 2019-03-12 17:26:39 UTC 

*** This bug has been marked as a duplicate of bug 1553115 ***
Comment 5 Riccardo Schirone 2019-03-12 17:30:09 UTC 
Request to mark this CVE as duplicate of CVE-2018-7642 has been submitted to Mitre.
Comment 7 Doran Moppert 2020-02-10 04:36:40 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2018-7642. Please see https://access.redhat.com/security/cve/CVE-2018-7642 for information about affected products and security errata.
Note You need to log in before you can comment on or make changes to this bug.