Bug 2167502 (CVE-2023-25586) - CVE-2023-25586 binutils: Local variable `ch_type` in function `bfd_init_section_decompress_status` can be uninitialized
Summary: CVE-2023-25586 binutils: Local variable `ch_type` in function `bfd_init_secti...
Keywords:
Status: NEW
Alias: CVE-2023-25586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2160830
TreeView+ depends on / blocked
 
Reported: 2023-02-06 20:04 UTC by Pedro Sampaio
Modified: 2024-02-01 03:42 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-02-06 20:04:55 UTC 
In Binutils, at function `bfd_init_section_decompress_status`, a local variable is supposed to be initialized by function `bfd_check_compression_header`. However, since this function call is inside an `else if` branch, if the previous `if` branch is taken, the `ch_type` can be uninitialized and thus directly used to assign `sec->compress_status`. Therefore, when the `compress_status` field is used in a branch condition, the memory sanitizer aborts.

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=29855

Upstream fix:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5830876a0cca17bef3b2d54908928e72cca53502
Note You need to log in before you can comment on or make changes to this bug.