Bug 2167467 (CVE-2023-25584) - CVE-2023-25584 binutils: Out of bounds read in parse_module function in bfd/vms-alpha.c
Summary: CVE-2023-25584 binutils: Out of bounds read in parse_module function in bfd/v...
Keywords:
Status: NEW
Alias: CVE-2023-25584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2174117 2174118 2174119 2174120 2174121 2174122 2174123 2174124 2174125 2174180 2174181
Blocks: 2160830
TreeView+ depends on / blocked
 
Reported: 2023-02-06 17:27 UTC by Pedro Sampaio
Modified: 2024-03-18 13:05 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-02-06 17:27:53 UTC
Out of bounds read flaws were found in Binutils in parse_module function in bfd/vms-alpha.c

Upstream fix:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44

Comment 1 Siddhesh Poyarekar 2023-02-06 18:41:04 UTC
I don't think we build this in RHEL/Fedora binutils configurations.  Nick, can you confirm?

Comment 3 Nick Clifton 2023-02-07 12:20:31 UTC
(In reply to Siddhesh Poyarekar from comment #1)
> I don't think we build this in RHEL/Fedora binutils configurations.  Nick,
> can you confirm?

Almost.  We do not build it for Fedora (rawhide/f37/f36) or RHEL-9.
But we do build it for RHEL-8, RHEL-7 and RHEL-6.  This is because,
for those targets, there is a problem with the configure script for
the gold linker when the s390x architecture is targeted.  In order 
to work around this problem I configure the s390x binutils with the
--enable-targets=all option, which then includes support for vms-alpha.

There is a solution for this workaround which removes the need to
build for all targets, and it could be backported to RHEL 8/7/6,
but at the time I felt that since the workaround solves the problem,
creating an update was just creating extra work.

Comment 9 Siddhesh Poyarekar 2023-03-01 17:35:00 UTC
This does not affect gdb in RHEL or Fedora; gdb does not have or build the affected code.


Note You need to log in before you can comment on or make changes to this bug.