GNU Binutils before 2.34 has a NULL pointer deference vulnerability in function bfd_pef_parse_symbols (file bfd/pef.c) which could allow attackers to cause a denial of service. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=25306
Created mingw-binutils tracking bugs for this issue: Affects: fedora-all [bug 1911442]
Flaw technical summary: In `bfd_pef_parse_symbols()` of bfd/pef.c, a call is made to `bfd_malloc()` and the return pointer is dereferenced and written to in a call to `bfd_bread()` without first checking to ensure that the pointer does not point to NULL. Due to the fact that a crafted file could cause this allocation to fail, it's possible for an attacker to trigger a NULL pointer dereference.
Statement: binutils as shipped with Red Hat Enterprise Linux 8's GCC Toolset 10 and Red Hat Developer Toolset 10 are not affected by this flaw because the versions shipped have already received the patch.
Upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a0fb7be96e0ce79e1ae429bc1ba913e5244d537