Bug 1950478 (CVE-2020-35448) - CVE-2020-35448 binutils: Heap-based buffer overflow in bfd_getl_signed_32() in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section() in elf.c
Summary: CVE-2020-35448 binutils: Heap-based buffer overflow in bfd_getl_signed_32() i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-35448
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1950480 1950481 1953649 1953650 1953651 1953652 1953653 1953658 1953659 1953660
Blocks: 1950482
TreeView+ depends on / blocked
 
Reported: 2021-04-16 17:35 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:18 UTC (History)
23 users (show)

Fixed In Version: binutils 2.36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 22:25:02 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4364 0 None None None 2021-11-09 18:28:58 UTC

Description Guilherme de Almeida Suckevicz 2021-04-16 17:35:28 UTC
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=26574

Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679

Comment 1 Guilherme de Almeida Suckevicz 2021-04-16 17:35:57 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1950481]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1950480]

Comment 6 Marco Benatto 2021-04-26 15:42:09 UTC
A crafted ELF object can lead to a heap-based out of bound read in _bfd_elf_slurp_secondary_reloc_section() function. The impact for this flaw is considered low as the crafted object can eventually read only few bytes past the heap allocated buffer for section headers. For an attack being successful the attacker needs to lure the victim to open the malicious ELF file. The heap data eventually leaked is related mostly to the current process for the single victim's user run not affecting other users or applications on the system, implying only in a low confidentiality impact.

Comment 9 errata-xmlrpc 2021-11-09 18:28:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4364 https://access.redhat.com/errata/RHSA-2021:4364

Comment 10 Product Security DevOps Team 2021-11-09 22:24:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35448


Note You need to log in before you can comment on or make changes to this bug.