An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow. Upstream Issue: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1739491]
Upstream patch for gcc: https://gcc.gnu.org/viewcvs/gcc/branches/gcc-8-branch/libiberty/simple-object-elf.c?view=patch&r1=273794&r2=273793&pathrev=273794 upstream commit for binutils: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f211b8c0b91fc7b1657079a495f05a9a4d957821 On the binutils scenario the patch synchronizes with gcc mainline so it includes much more changes than we might expect. The changelog entry for that on the commit message is: * simple-object-elf.c (simple_object_elf_match): Check zero value shstrndx. This fixes a Bug 90924.
Created gcc tracking bugs for this issue: Affects: fedora-all [bug 1744192]
Statement: This issue resides on libiberty code, libiberty is part of GNU project and contains several utilities being distributed by gcc and binutils packages. This flaws affects binutils versions as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8 and also gcc versions as shipped with Red Hat Enterprise Linux 5, 6 ,7 and 8. Versions of gcc shipped with Red Hat Developers Tool Set 7 and 8 are also affected. This flaw was scored with 'Low' security impact for both binutils and gcc packages by Red Hat Product Security Team.
When reading ELF files libiberty parses the ELF structure to load its sections on memory. A crafted ELF file with invalid Section Header index leads to buffer overflow at simple_object_elf_find_sections() due to the lack of input validation. The overflow may lead to memory corruption and further out of bands read causing DoS.
Can someone please update on whether this defect will be fixed in gcc of RHEL 5 and RHEL 6? And if yes, in which gcc version? Any heads up are appreciated. Thanks in advance. Best Regards,
(In reply to Trupti Pardeshi from comment #14) > Can someone please update on whether this defect will be fixed in gcc of > RHEL 5 and RHEL 6? And if yes, in which gcc version? Yes they are affected. (Although to be clear it is the binutils packages in RHEL 5 and RHEL 6 which are most affected by the problem. The bug is in the libiberty library which is maintained as part of the GCC project, but which is used extensively by the binutils project). Currently there are no plans to fix the bug in RHEL 5 or RHEL 6. The bug is fixed however in the Developer Toolset 9 release of the binutils which is available for RHEL 6.
(In reply to Nick Clifton from comment #15) > (In reply to Trupti Pardeshi from comment #14) > > Can someone please update on whether this defect will be fixed in gcc of > > RHEL 5 and RHEL 6? And if yes, in which gcc version? > > Yes they are affected. (Although to be clear it is the binutils packages in > RHEL 5 and RHEL 6 which are most affected by the problem. The bug is in the > libiberty library which is maintained as part of the GCC project, but which > is used extensively by the binutils project). > > Currently there are no plans to fix the bug in RHEL 5 or RHEL 6. > > The bug is fixed however in the Developer Toolset 9 release of the binutils > which is available for RHEL 6. Thank you so much Nick for prompt and clear reply. PS: Just a kind thought that if GCC of RHEL 5 and RHEL 6 are affected, then those aren't they mentioned in affected packages. https://access.redhat.com/security/cve/cve-2019-14250