An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=26574 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1950481] Created mingw-binutils tracking bugs for this issue: Affects: fedora-all [bug 1950480]
Public patch for this issue: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679
A crafted ELF object can lead to a heap-based out of bound read in _bfd_elf_slurp_secondary_reloc_section() function. The impact for this flaw is considered low as the crafted object can eventually read only few bytes past the heap allocated buffer for section headers. For an attack being successful the attacker needs to lure the victim to open the malicious ELF file. The heap data eventually leaked is related mostly to the current process for the single victim's user run not affecting other users or applications on the system, implying only in a low confidentiality impact.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4364 https://access.redhat.com/errata/RHSA-2021:4364
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35448