Lucene search

K
amazonAmazonALAS-2024-2401
HistoryJan 03, 2024 - 9:04 p.m.

Medium: binutils

2024-01-0321:04:00
alas.aws.amazon.com
29
memoryconsumption
bufferoverflow
denialofservice
craftedcommand
cve2020-19724
cve2021-46174
cve2022-35205
cve2022-47007
cve2022-47008
cve2022-47010
cve2022-48064
cve2023-1972
heapbasedbufferoverflow
excessivememoryconsumption
amazonlinux2
redhat
mitre
unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

33.9%

Issue Overview:

A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command. (CVE-2020-19724)

Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37. (CVE-2021-46174)

An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service. (CVE-2022-35205)

An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. (CVE-2022-47007)

An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. (CVE-2022-47008)

An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. (CVE-2022-47010)

GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack. (CVE-2022-48064)

Potential heap based buffer overflow found in _bfd_elf_slurp_version_tables() in bfd/elf.c. (CVE-2023-1972)

Affected Packages:

binutils

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update binutils to update your system.

New Packages:

aarch64:  
    binutils-2.29.1-31.amzn2.0.1.aarch64  
    binutils-devel-2.29.1-31.amzn2.0.1.aarch64  
    binutils-debuginfo-2.29.1-31.amzn2.0.1.aarch64  
  
i686:  
    binutils-2.29.1-31.amzn2.0.1.i686  
    binutils-devel-2.29.1-31.amzn2.0.1.i686  
    binutils-debuginfo-2.29.1-31.amzn2.0.1.i686  
  
src:  
    binutils-2.29.1-31.amzn2.0.1.src  
  
x86_64:  
    binutils-2.29.1-31.amzn2.0.1.x86_64  
    binutils-devel-2.29.1-31.amzn2.0.1.x86_64  
    binutils-debuginfo-2.29.1-31.amzn2.0.1.x86_64  

Additional References

Red Hat: CVE-2020-19724, CVE-2021-46174, CVE-2022-35205, CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-48064, CVE-2023-1972

Mitre: CVE-2020-19724, CVE-2021-46174, CVE-2022-35205, CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-48064, CVE-2023-1972

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

33.9%