GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack. References: https://sourceware.org/bugzilla/show_bug.cgi?id=29924 https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 2233950] Created gdb tracking bugs for this issue: Affects: fedora-all [bug 2233951] Created mingw-binutils tracking bugs for this issue: Affects: fedora-all [bug 2233952]
(In reply to Guilherme de Almeida Suckevicz from comment #0) > GNU Binutils before 2.40 was discovered to contain an excessive memory > consumption vulnerability via the function load_separate_debug_files at > dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS > attack. The SECURITY.txt file in the upstream GNU Binutils sources makes it clear that bugs in inspectio tools like objdump and readelf should not be considered to be security issues and hence do not qualify as a CVE. I also fail to see how this bug could be used a part of a DNS attack, since invoking an inspection tool like objdump is not part of any normal service.