Bug 2167502 (CVE-2023-25586) - CVE-2023-25586 binutils: Local variable `ch_type` in function `bfd_init_section_decompress_status` can be uninitialized
Summary: CVE-2023-25586 binutils: Local variable `ch_type` in function `bfd_init_secti...
Status: NEW
Alias: CVE-2023-25586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On:
Blocks: 2160830
TreeView+ depends on / blocked
Reported: 2023-02-06 20:04 UTC by Pedro Sampaio
Modified: 2024-02-01 03:42 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-02-06 20:04:55 UTC
In Binutils, at function `bfd_init_section_decompress_status`, a local variable is supposed to be initialized by function `bfd_check_compression_header`. However, since this function call is inside an `else if` branch, if the previous `if` branch is taken, the `ch_type` can be uninitialized and thus directly used to assign `sec->compress_status`. Therefore, when the `compress_status` field is used in a branch condition, the memory sanitizer aborts.

Upstream bug:


Upstream fix:


Note You need to log in before you can comment on or make changes to this bug.