An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. There is a heap-based buffer over-read in _bfd_doprnt in bfd.c because elf_object_p in elfcode.h mishandles an e_shstrndx section of type SHT_GROUP by omitting a trailing '\0' character. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=24689 Upstream fix: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=14b2a8e4244a29208ad430167860a0f01b20f215
The out-of-bounds read happens in setup_group() in elf.c, when called by _bfd_elf_make_section_from_shdr(). This is due to too loose checks in elf_object_p() in elfcode.h, which accepts e_shstrndx pointing to a section that is not SHT_STRTAB.
Statement: Impact of the flaw set to Low because it is not considered a common use case to analyze and debug untrusted binaries.
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1835138] Created mingw-binutils tracking bugs for this issue: Affects: fedora-all [bug 1835139]