Bug 1031590 - (CVE-2017-7304) VUL-0: CVE-2017-7304: binutils: The Binary File Descriptor (BFD) library (aka libbfd) invalid read
(CVE-2017-7304)
VUL-0: CVE-2017-7304: binutils: The Binary File Descriptor (BFD) library (aka...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michael Matz
Security Team bot
https://smash.suse.de/issue/182429/
CVSSv2:NVD:CVE-2017-7304:5.0:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-30 06:47 UTC by Victor Pereira
Modified: 2019-05-22 00:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-03-30 06:47:18 UTC
CVE-2017-7304

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU
Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a
check (in the copy_special_section_fields function) for an invalid sh_link field
before attempting to follow it. This vulnerability causes Binutils utilities
like strip to crash.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7304
http://www.cvedetails.com/cve/CVE-2017-7304/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304
https://sourceware.org/bugzilla/show_bug.cgi?id=20931
Comment 1 Bernhard Wiedemann 2017-10-13 16:04:35 UTC
This is an autogenerated message for OBS integration:
This bug (1031590) was mentioned in
https://build.opensuse.org/request/show/533970 Factory / binutils
Comment 2 Swamp Workflow Management 2017-12-01 02:11:02 UTC
SUSE-SU-2017:3170-1: An update that solves 57 vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239
CVE References: CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    binutils-2.29.1-9.20.2, cross-ppc-binutils-2.29.1-9.20.2, cross-spu-binutils-2.29.1-9.20.2
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    binutils-2.29.1-9.20.2, cross-ppc-binutils-2.29.1-9.20.2, cross-spu-binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server 12-SP3 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Server 12-SP2 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    binutils-2.29.1-9.20.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    binutils-2.29.1-9.20.2
OpenStack Cloud Magnum Orchestration 7 (src):    binutils-2.29.1-9.20.2
Comment 3 Andreas Stieger 2017-12-02 14:38:28 UTC
release for Leap, closing
Comment 4 Swamp Workflow Management 2017-12-02 20:08:58 UTC
openSUSE-SU-2017:3199-1: An update that solves 57 vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239
CVE References: CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Sources used:
openSUSE Leap 42.3 (src):    binutils-2.29.1-13.1, cross-aarch64-binutils-2.29.1-13.1, cross-arm-binutils-2.29.1-13.1, cross-avr-binutils-2.29.1-13.1, cross-hppa-binutils-2.29.1-13.1, cross-hppa64-binutils-2.29.1-13.1, cross-i386-binutils-2.29.1-13.1, cross-ia64-binutils-2.29.1-13.1, cross-m68k-binutils-2.29.1-13.1, cross-mips-binutils-2.29.1-13.1, cross-ppc-binutils-2.29.1-13.1, cross-ppc64-binutils-2.29.1-13.1, cross-ppc64le-binutils-2.29.1-13.1, cross-s390-binutils-2.29.1-13.1, cross-s390x-binutils-2.29.1-13.1, cross-sparc-binutils-2.29.1-13.1, cross-sparc64-binutils-2.29.1-13.1, cross-spu-binutils-2.29.1-13.1, cross-x86_64-binutils-2.29.1-13.1
openSUSE Leap 42.2 (src):    binutils-2.29.1-9.6.1, cross-aarch64-binutils-2.29.1-9.6.1, cross-arm-binutils-2.29.1-9.6.1, cross-avr-binutils-2.29.1-9.6.1, cross-hppa-binutils-2.29.1-9.6.1, cross-hppa64-binutils-2.29.1-9.6.1, cross-i386-binutils-2.29.1-9.6.1, cross-ia64-binutils-2.29.1-9.6.1, cross-m68k-binutils-2.29.1-9.6.1, cross-mips-binutils-2.29.1-9.6.1, cross-ppc-binutils-2.29.1-9.6.1, cross-ppc64-binutils-2.29.1-9.6.1, cross-ppc64le-binutils-2.29.1-9.6.1, cross-s390-binutils-2.29.1-9.6.1, cross-s390x-binutils-2.29.1-9.6.1, cross-sparc-binutils-2.29.1-9.6.1, cross-sparc64-binutils-2.29.1-9.6.1, cross-spu-binutils-2.29.1-9.6.1, cross-x86_64-binutils-2.29.1-9.6.1
Comment 6 Swamp Workflow Management 2018-10-17 19:27:55 UTC
SUSE-SU-2018:3207-1: An update that solves 52 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368
CVE References: CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945
Sources used:
SUSE OpenStack Cloud 7 (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    binutils-2.31-9.26.1, cross-ppc-binutils-2.31-9.26.1, cross-spu-binutils-2.31-9.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Server 12-LTSS (src):    binutils-2.31-9.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    binutils-2.31-9.26.1
SUSE Enterprise Storage 4 (src):    binutils-2.31-9.26.1
OpenStack Cloud Magnum Orchestration 7 (src):    binutils-2.31-9.26.1
Comment 7 Swamp Workflow Management 2018-10-18 16:23:07 UTC
SUSE-SU-2018:3207-2: An update that solves 52 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368
CVE References: CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    binutils-2.31-9.26.1
Comment 8 Swamp Workflow Management 2018-10-18 16:54:41 UTC
openSUSE-SU-2018:3223-1: An update that solves 52 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368
CVE References: CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945
Sources used:
openSUSE Leap 42.3 (src):    binutils-2.31-19.1, cross-aarch64-binutils-2.31-19.1, cross-arm-binutils-2.31-19.1, cross-avr-binutils-2.31-19.1, cross-hppa-binutils-2.31-19.1, cross-hppa64-binutils-2.31-19.1, cross-i386-binutils-2.31-19.1, cross-ia64-binutils-2.31-19.1, cross-m68k-binutils-2.31-19.1, cross-mips-binutils-2.31-19.1, cross-ppc-binutils-2.31-19.1, cross-ppc64-binutils-2.31-19.1, cross-ppc64le-binutils-2.31-19.1, cross-s390-binutils-2.31-19.1, cross-s390x-binutils-2.31-19.1, cross-sparc-binutils-2.31-19.1, cross-sparc64-binutils-2.31-19.1, cross-spu-binutils-2.31-19.1, cross-x86_64-binutils-2.31-19.1