An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
Created binutils tracking bugs for this issue:
Affects: fedora-all [bug 1739491]
Upstream patch for gcc:
upstream commit for binutils:
On the binutils scenario the patch synchronizes with gcc mainline so it includes much more changes than we might expect.
The changelog entry for that on the commit message is:
* simple-object-elf.c (simple_object_elf_match): Check zero value shstrndx.
This fixes a Bug 90924.
Created gcc tracking bugs for this issue:
Affects: fedora-all [bug 1744192]
This issue resides on libiberty code, libiberty is part of GNU project and contains several utilities being distributed by gcc and binutils packages. This flaws affects binutils versions as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and also gcc versions as shipped with Red Hat Enterprise Linux 5, 6 ,7 and 8. Versions of gcc shipped with Red Hat Developers Tool Set 7 and 8 are also affected. This flaw was scored with 'Low' security impact for both binutils and gcc packages by Red Hat Product Security Team.
When reading ELF files libiberty parses the ELF structure to load its sections on memory. A crafted ELF file with invalid Section Header index leads to buffer overflow at simple_object_elf_find_sections() due to the lack of input validation. The overflow may lead to memory corruption and further out of bands read causing DoS.