2234029 – (CVE-2022-47696) CVE-2022-47696 binutils: segmentation fault in compare_symbols() in objdump.c

Bug 2234029 (CVE-2022-47696) - CVE-2022-47696 binutils: segmentation fault in compare_symbols() in objdump.c

Summary: CVE-2022-47696 binutils: segmentation fault in compare_symbols() in objdump.c

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-47696
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2234034 2234035 2234036 2234315 2234316 2234317 2234318 2234319 2234320 2234321 2234322 2234323 2234324 2234325 2234326 2234327 2234328 2234329
Blocks:	2233947
TreeView+	depends on / blocked

Reported:	2023-08-23 22:18 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-11-14 11:30 UTC (History)
CC List:	29 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer vulnerability was found in binutils in the 'compare_symbols' function. This flaw allows an attacker to craft a specific payload, possibly causing a denial of service that results in a loss of the system's availability.
Clone Of:
Environment:
Last Closed:	2023-11-09 09:19:11 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-08-23 22:18:46 UTC

An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=29846

Comment 1 Guilherme de Almeida Suckevicz 2023-08-23 22:30:11 UTC

According to the description of this CVE in Mitre[1], the reference of this issue is this bug[2], however this bug seems related to CVE-2022-47695[3].

[1]. https://www.cve.org/CVERecord?id=CVE-2022-47695
[2]. https://sourceware.org/bugzilla/show_bug.cgi?id=29677
[3]. https://bugzilla.redhat.com/show_bug.cgi?id=2234027

Comment 2 Guilherme de Almeida Suckevicz 2023-08-23 22:31:35 UTC

Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 2234034]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 2234035]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 2234036]

Comment 5 Nick Clifton 2023-08-24 13:09:26 UTC

(In reply to Guilherme de Almeida Suckevicz from comment #0)
> An issue was discovered Binutils objdump before 2.39.3 allows attackers to
> cause a denial of service or other unspecified impacts via function
> compare_symbols.

The SECURITY.txt file found in the upstream GNU Binutils sources makes it clear that bug in inspection tools like objdump are not considered to be security issues, and hence do not qualify for CVE treatment.

Note You need to log in before you can comment on or make changes to this bug.

acrosby
ailan
bdettelb
caswilli
desktop-qa-list
fjansen
fweimer
gdb-bugs
hkataria
jburrell
jmitchel
jsamir
jsherril
jtanner
kaycoth
keiths
kshier
mcermak
mpolacek
mprchlik
nickc
ohudlick
psegedy
rjones
sipoyare
sthirugn
tsasak
virt-maint
vkrizan