Bug 1142649 – VUL-1: CVE-2019-14250: binutils: simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow

Bug 1142649 - (CVE-2019-14250) VUL-1: CVE-2019-14250: binutils: simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow

(CVE-2019-14250)
Summary:	VUL-1: CVE-2019-14250: binutils: simple_object_elf_match in simple-object-elf...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/237923/
Whiteboard:	CVSSv3:SUSE:CVE-2019-14250:5.3:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-07-24 12:00 UTC by Alexandros Toptsoglou
Modified:	2022-06-08 13:16 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
POC (8.13 KB, application/x-sharedlib) 2019-07-24 12:01 UTC, Alexandros Toptsoglou	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-07-24 12:00:14 UTC

CVE-2019-14250

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32.
simple_object_elf_match in simple-object-elf.c does not check for a zero
shstrndx value, leading to an integer overflow and resultant heap-based buffer
overflow.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14250
https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924

Comment 1 Alexandros Toptsoglou 2019-07-24 12:01:39 UTC

Created attachment 811443 [details]
POC

Comment 2 Alexandros Toptsoglou 2019-07-24 14:01:33 UTC

Tracked as affected all the codestreams. The fix for the issue can be find at [1]. The POC is attached. To reproduce the issue simply run valgrind nm $POC. The reproducer was tested against LEAP 15 and the output is the following: 

==23225== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==23225==  Access not within mapped region at address 0x4005BA9710
==23225==    at 0x5FA278F: simple_object_fetch_little_64 (simple-object-common.h:263)
==23225==    by 0x5FA278F: simple_object_elf_find_sections (simple-object-elf.c:531)
==23225==    by 0x5FA1EB4: claim_file_handler (lto-plugin.c:1008)
==23225==    by 0x50AD2CA: try_claim (plugin.c:211)
==23225==    by 0x50AD2CA: try_load_plugin (plugin.c:267)
==23225==    by 0x50AD4FF: load_plugin (plugin.c:366)
==23225==    by 0x50AD4FF: bfd_plugin_object_p (plugin.c:389)
==23225==    by 0x4F09A89: bfd_check_format_matches (format.c:258)
==23225==    by 0x10D22F: display_file.part.17 (nm.c:1321)
==23225==    by 0x10AED5: display_file (nm.c:1303)
==23225==    by 0x10AED5: main (nm.c:1799)


[1] https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html

Comment 4 Michael Matz 2019-07-24 15:43:17 UTC

So, this is actually only for the linker plugin.  binutils itself doesn't
use the code from simple-object-elf.c, hence anything that doesn't provide
the LTO linker plugin is affected, while anything that is providing it is.

In any case, easy to fix, but it's GCC that is affected and needs to be updated.
-> Richi.

Comment 5 Richard Biener 2019-07-25 09:46:26 UTC

I'm backporting the fix upstream.

Comment 6 Swamp Workflow Management 2019-07-25 11:30:18 UTC

This is an autogenerated message for OBS integration:
This bug (1142649) was mentioned in
https://build.opensuse.org/request/show/718517 Factory / gcc7

Comment 7 Swamp Workflow Management 2019-08-02 13:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1142649) was mentioned in
https://build.opensuse.org/request/show/720637 Factory / gcc9

Comment 8 Swamp Workflow Management 2019-08-05 13:20:06 UTC

This is an autogenerated message for OBS integration:
This bug (1142649) was mentioned in
https://build.opensuse.org/request/show/721056 Factory / gcc9

Comment 9 Swamp Workflow Management 2019-08-26 13:20:22 UTC

This is an autogenerated message for OBS integration:
This bug (1142649) was mentioned in
https://build.opensuse.org/request/show/726181 Factory / gcc8

Comment 12 Swamp Workflow Management 2019-10-16 22:17:08 UTC

SUSE-SU-2019:2702-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1071995,1141897,1142649,1148517,1149145
CVE References: CVE-2019-14250,CVE-2019-15847
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    cross-aarch64-gcc7-7.4.1+r275405-4.9.2, cross-arm-gcc7-7.4.1+r275405-4.9.2, cross-arm-none-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-avr-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-epiphany-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-hppa-gcc7-7.4.1+r275405-4.9.2, cross-i386-gcc7-7.4.1+r275405-4.9.2, cross-m68k-gcc7-7.4.1+r275405-4.9.2, cross-mips-gcc7-7.4.1+r275405-4.9.2, cross-ppc64-gcc7-7.4.1+r275405-4.9.2, cross-ppc64le-gcc7-7.4.1+r275405-4.9.2, cross-rx-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-s390x-gcc7-7.4.1+r275405-4.9.2, cross-sparc-gcc7-7.4.1+r275405-4.9.2, cross-sparc64-gcc7-7.4.1+r275405-4.9.2, cross-x86_64-gcc7-7.4.1+r275405-4.9.2, gcc7-7.4.1+r275405-4.9.2, gcc7-testresults-7.4.1+r275405-4.9.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    cross-arm-gcc7-7.4.1+r275405-4.9.2, cross-arm-none-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-avr-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-epiphany-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-hppa-gcc7-7.4.1+r275405-4.9.2, cross-i386-gcc7-7.4.1+r275405-4.9.2, cross-m68k-gcc7-7.4.1+r275405-4.9.2, cross-mips-gcc7-7.4.1+r275405-4.9.2, cross-ppc64-gcc7-7.4.1+r275405-4.9.2, cross-rx-gcc7-bootstrap-7.4.1+r275405-4.9.2, cross-sparc-gcc7-7.4.1+r275405-4.9.2, cross-sparc64-gcc7-7.4.1+r275405-4.9.2, gcc7-7.4.1+r275405-4.9.2, gcc7-testresults-7.4.1+r275405-4.9.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    cross-nvptx-gcc7-7.4.1+r275405-4.9.2, gcc7-7.4.1+r275405-4.9.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    cross-nvptx-gcc7-7.4.1+r275405-4.9.2, gcc7-7.4.1+r275405-4.9.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    gcc7-7.4.1+r275405-4.9.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    gcc7-7.4.1+r275405-4.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2019-10-22 19:12:43 UTC

openSUSE-SU-2019:2364-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1071995,1141897,1142649,1148517,1149145
CVE References: CVE-2019-14250,CVE-2019-15847
Sources used:
openSUSE Leap 15.1 (src):    gcc7-7.4.1+r275405-lp151.2.6.1

Comment 14 Swamp Workflow Management 2019-10-22 22:11:38 UTC

openSUSE-SU-2019:2365-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1071995,1141897,1142649,1148517,1149145
CVE References: CVE-2019-14250,CVE-2019-15847
Sources used:
openSUSE Leap 15.0 (src):    gcc7-7.4.1+r275405-lp150.12.1

Comment 15 Swamp Workflow Management 2019-11-25 20:20:14 UTC

SUSE-SU-2019:3061-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145
CVE References: CVE-2019-14250,CVE-2019-15847
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    gcc9-9.2.1+r275327-1.3.7
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    gcc9-9.2.1+r275327-1.3.7
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    gcc9-9.2.1+r275327-1.3.7
SUSE Linux Enterprise Module for Development Tools 15 (src):    gcc9-9.2.1+r275327-1.3.7
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    gcc9-9.2.1+r275327-1.3.7
SUSE Linux Enterprise Module for Basesystem 15 (src):    gcc9-9.2.1+r275327-1.3.7

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2020-02-18 17:15:13 UTC

SUSE-SU-2020:0394-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145
CVE References: CVE-2019-14250,CVE-2019-15847
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE OpenStack Cloud 8 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE OpenStack Cloud 7 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP5 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP4 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP3-BCL (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Linux Enterprise Module for Toolchain 12 (src):    gcc9-9.2.1+r275327-1.3.9
SUSE Enterprise Storage 5 (src):    gcc9-9.2.1+r275327-1.3.9
HPE Helion Openstack 8 (src):    gcc9-9.2.1+r275327-1.3.9

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-05-26 10:14:07 UTC

openSUSE-SU-2020:0716-1: An update that solves two vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,1149995,1152590,1167898
CVE References: CVE-2019-14250,CVE-2019-15847
Sources used:
openSUSE Leap 15.1 (src):    cross-nvptx-gcc9-9.3.1+git1296-lp151.2.1, gcc9-9.3.1+git1296-lp151.2.2

Comment 19 Swamp Workflow Management 2020-10-28 11:18:54 UTC

SUSE-SU-2020:3060-1: An update that solves 8 vulnerabilities, contains three features and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744
CVE References: CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
JIRA References: ECO-2373,SLE-7464,SLE-7903
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    binutils-2.35-7.11.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    binutils-2.35-7.11.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    binutils-2.35-7.11.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    binutils-2.35-7.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    binutils-2.35-7.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    binutils-2.35-7.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2020-10-31 17:16:18 UTC

openSUSE-SU-2020:1790-1: An update that solves 8 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744
CVE References: CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    binutils-2.35-lp151.3.9.1, cross-aarch64-binutils-2.35-lp151.3.9.1, cross-arm-binutils-2.35-lp151.3.9.1, cross-avr-binutils-2.35-lp151.3.9.1, cross-epiphany-binutils-2.35-lp151.3.9.1, cross-hppa-binutils-2.35-lp151.3.9.1, cross-hppa64-binutils-2.35-lp151.3.9.1, cross-i386-binutils-2.35-lp151.3.9.1, cross-ia64-binutils-2.35-lp151.3.9.1, cross-m68k-binutils-2.35-lp151.3.9.1, cross-mips-binutils-2.35-lp151.3.9.1, cross-ppc-binutils-2.35-lp151.3.9.1, cross-ppc64-binutils-2.35-lp151.3.9.1, cross-ppc64le-binutils-2.35-lp151.3.9.1, cross-riscv64-binutils-2.35-lp151.3.9.1, cross-rx-binutils-2.35-lp151.3.9.1, cross-s390-binutils-2.35-lp151.3.9.1, cross-s390x-binutils-2.35-lp151.3.9.1, cross-sparc-binutils-2.35-lp151.3.9.1, cross-sparc64-binutils-2.35-lp151.3.9.1, cross-spu-binutils-2.35-lp151.3.9.1

Comment 21 Swamp Workflow Management 2020-11-01 14:14:41 UTC

openSUSE-SU-2020:1804-1: An update that solves 8 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744
CVE References: CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    binutils-2.35-lp152.4.3.1, cross-aarch64-binutils-2.35-lp152.4.3.1, cross-arm-binutils-2.35-lp152.4.3.1, cross-avr-binutils-2.35-lp152.4.3.1, cross-epiphany-binutils-2.35-lp152.4.3.1, cross-hppa-binutils-2.35-lp152.4.3.1, cross-hppa64-binutils-2.35-lp152.4.3.1, cross-i386-binutils-2.35-lp152.4.3.1, cross-ia64-binutils-2.35-lp152.4.3.1, cross-m68k-binutils-2.35-lp152.4.3.1, cross-mips-binutils-2.35-lp152.4.3.1, cross-ppc-binutils-2.35-lp152.4.3.1, cross-ppc64-binutils-2.35-lp152.4.3.1, cross-ppc64le-binutils-2.35-lp152.4.3.1, cross-riscv64-binutils-2.35-lp152.4.3.1, cross-rx-binutils-2.35-lp152.4.3.1, cross-s390-binutils-2.35-lp152.4.3.1, cross-s390x-binutils-2.35-lp152.4.3.1, cross-sparc-binutils-2.35-lp152.4.3.1, cross-sparc64-binutils-2.35-lp152.4.3.1, cross-spu-binutils-2.35-lp152.4.3.1, cross-xtensa-binutils-2.35-lp152.4.3.1

Comment 23 Swamp Workflow Management 2020-11-27 20:16:12 UTC

SUSE-SU-2020:3552-1: An update that solves 8 vulnerabilities, contains three features and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,1179036
CVE References: CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
JIRA References: ECO-2373,SLE-7464,SLE-7903
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    binutils-2.35.1-6.15.1
SUSE Linux Enterprise Server 15-LTSS (src):    binutils-2.35.1-6.15.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    binutils-2.35.1-6.15.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    binutils-2.35.1-6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2021-11-02 14:26:41 UTC

SUSE-SU-2021:3593-1: An update that solves 21 vulnerabilities, contains 7 features and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,1179036,1179341,1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794
CVE References: CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487
JIRA References: ECO-2373,PM-2767,SLE-18637,SLE-19618,SLE-21561,SLE-7464,SLE-7903
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    binutils-2.37-9.39.1
SUSE OpenStack Cloud Crowbar 8 (src):    binutils-2.37-9.39.1
SUSE OpenStack Cloud 9 (src):    binutils-2.37-9.39.1
SUSE OpenStack Cloud 8 (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    binutils-2.37-9.39.1, cross-ppc-binutils-2.37-9.39.1, cross-spu-binutils-2.37-9.39.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Server 12-SP5 (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    binutils-2.37-9.39.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    binutils-2.37-9.39.1
HPE Helion Openstack 8 (src):    binutils-2.37-9.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Richard Biener 2022-03-22 07:54:30 UTC

Back to security for closing.

Comment 37 Richard Biener 2022-03-31 06:29:48 UTC

MRs submitted.

Comment 39 Gabriele Sonnu 2022-03-31 10:21:30 UTC

Done.

Comment 40 Swamp Workflow Management 2022-06-08 13:16:28 UTC

SUSE-SU-2022:2015-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1142649,1161913,1177947,1178675,1185395
CVE References: CVE-2019-14250
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    libgcj48-4.8.5-31.26.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    gcc48-4.8.5-31.26.1, libffi48-4.8.5-31.26.1, libgcj48-4.8.5-31.26.1
SUSE Linux Enterprise Server 12-SP5 (src):    gcc48-4.8.5-31.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.