Bug 1647415 (CVE-2018-18606) - CVE-2018-18606 binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c
Summary: CVE-2018-18606 binutils: NULL pointer dereference in _bfd_add_merge_section i...
Alias: CVE-2018-18606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1647416 1647417 1647418 1647419 1654466 1654467 1654469
Blocks: 1647427
TreeView+ depends on / blocked
Reported: 2018-11-07 12:43 UTC by Laura Pardo
Modified: 2021-10-25 22:21 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-25 22:21:56 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-11-07 12:43:18 UTC
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section in the merge_strings function in merge.c when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld. 


Upstream Patch:

Comment 1 Laura Pardo 2018-11-07 12:44:19 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1647417]

Created mingw-binutils tracking bugs for this issue:

Affects: epel-all [bug 1647416]

Comment 3 Nick Clifton 2018-11-09 16:56:51 UTC
This bug can only triggered by using specially crafted, corrupt input files.
As such it will not normally be encountered by users, and fixing it is a low
priority.  The upstream GNU Binutils sources have already been fixed, and this
fix will be brought in with the next rebase to rawhide.  Postponing an update
to this BZ until then.

Comment 4 Nick Clifton 2018-11-09 16:58:44 UTC
Ahh - please ignore comment #3, it was meant for BZ 1647417

Comment 7 Scott Gayou 2018-11-28 20:53:32 UTC
Low impact, easy to reproduce.

Note You need to log in before you can comment on or make changes to this bug.