Extended Lifecycle Support update for binutils covers 92 CVEs
GNU Binutils is one of the fundamental packages in a development environment – it includes several different tools for manipulating ELF files, object files, and others that are important in the binary creation process. So finding and fixing issues in it strengthens the whole process and has far-reaching benefits.
In the latest batch of updates released by the Extended Lifecycle Support team for the supported Linux distributions, over 90 CVEs were fixed in GNU Binutils.
CONTENT:
THE EXTENDED LIFECYCLE SUPPORT USER POINT OF VIEW
As a service user, you can have the peace of mind of having a dedicated team of experts in security and Linux preparing adequate updates for systems that would otherwise not have any updates available at all.
In this specific instance, binutils is a fundamental package, relied upon by many other tools like development stacks, debuggers, code analysis, and many others, not necessarily development-related tools. So, keeping it secure will directly impact overall system security and stability.
At a deeper level
TuxCare’s Extended Lifecycle Support team is usually busy testing CVE fix code, adapting it to older versions of packages included in the supported Linux distributions, and ensuring that the packages released actually protect users against the vulnerabilities claimed to be addressed. This process is called “backporting”, as it consists of taking a fix that applies to a more recent version of a package and adapting it to work in older versions like the ones present in the Linux distributions covered by ELS. As a result, there is a lot of time spent just eyeballing the code and running tests on it.
When working on CVEs, sometimes the analysis will identify new issues that were overlooked at the time when they were originally addressed. The ELS team always strives to responsibly inform upstream open source projects and contribute the code to these projects. This has the added benefit of improving the security of the IT ecosystem as a whole. Of course, fixes for these new issues are also provided to the ELS users, as the systems they are running are out of original vendor support and would not otherwise receive the fixed code through other means.
One of the latest results of this activity, and already included in the available updates, addresses a total of 92 vulnerabilities in binutils alone. These range from “buffer overflows” to “use after free” issues and have a wide range of CVSS scores – not all of them are critical, but many indeed are.
Being a fundamental package, binutils contains tools used extensively in code analysis, debugging, and linking operations, and are also used by many other third party tools. You don’t have to be doing actual development work in order to have binutils in your system, you probably have it as a dependency for some other application or tool that is deployed. Keeping binutils updated will ensure the correct and secure operation of more than just binutils itself.
In some of these CVEs, the team identified situations where original CVE fixes introduced new issues like undefined behavior or other security issues. These required in-house code development to fix. Such code was then submitted to upstream open source projects, which in turn either accepted and committed it to those projects, or prepared their own code to fix the new reported issues.
An example of this is CVE-2018-7568. The ELS team identified a situation where the code fix originally submitted would cause undefined behavior, and it was reported to the upstream project here.
The issue was spotted by Nikita Popov, a team member while reviewing the changes made to the original CVE fix to ensure it wouldn’t break on older Linux distributions and “played nicely” with the rest of the code.
It turns out that the patch for CVE-2018-7568 includes an unsigned type used as a block length (block_len) counter. When used in expressions like
xptr + block_len < xptr
under the right situations – block_len being unsigned – this could be completely omitted by the compiler that could optimize away this line. This type of expressions are explicitly banned by ISO C standard precisely for this reason, and different compilers, or the same compiler under different architectures/platforms, could approach this situation in different ways, thus causing undefined behavior. The bug report submitted by the team includes a more comprehensive explanation of the problem and the code submission that fixes it.
This was accepted into the upstream code base and is now part of the binutils package moving forward, and it has even already been further refined by other developers. This is a textbook example of how Open Source project development can be done right, and the ELS team is actively working in this space.
A problem with the fix for CVE-2018-12700, which does not seem to prevent the situation it claims to solve and that can still be triggered by our tests, has also been reported upstream and is awaiting clarification.
After the work that has been done in this update to binutils, Pavel Mayorov, another developer working on binutils, commented that “as far as I know, we’ve processed all the existing CVE for binutils… but we are still waiting for an answer regarding the problem with CVE-2018-12700“.
CLOSING THOUGHTS
Keeping older systems updated is a necessary requirement, and not just from a strictly security-related point of view, even if that is important in itself. It is also required to achieve and maintain compliance with several business standards that have stipulations around patching time delays.
By relying on ELS as the source for your security patches and updates, the minutious work carried by the team directly translates into your systems’ security and compliance to requirements and your own peace of mind. As a result, your systems are protected and stable, allowing you to focus on your specific business needs instead.
ADDENDUM
Full list of CVEs covered by the latest binutils update available through Extended Lifecycle Support service, grouped by CVE year.
CVE-2016-2226: Fix integer overflow in the string_appends function in cplus-dem.c
CVE-2016-4487: Fix use-after-free vulnerability in libiberty
CVE-2016-4488: Fix use-after-free vulnerability in libiberty
CVE-2016-4489: Fix integer overflow in libiberty
CVE-2016-4490: Fix integer overflow in cp-demangle.c in libiberty
CVE-2016-4492: Fix buffer overflow in the do_type function in cplus-dem.c in libiberty
CVE-2016-4493: Fix out-of-bounds read in demangle_template_value_parm and do_hpacc_template_literal
CVE-2016-6131: Fix infinite loop, stack overflow
CVE-2017-7223: Fix global buffer overflow (of size 1)
CVE-2017-7224: Fix invalid write (of size 1) while disassembling
CVE-2017-7225: Fix NULL pointer dereference and an invalid write
CVE-2017-7226: Fix heap-based buffer over-read of size 4049
CVE-2017-7227: Fix heap-based buffer overflow
CVE-2017-7299: Fix invalid read (of size 8) in ELF reloc section
CVE-2017-7300: Fix heap-based buffer over-read (off-by-one)
CVE-2017-7301: Fix off-by-one vulnerability
CVE-2017-7302: Fix invalid read (of size 4)
CVE-2017-7614: Fix undefined behavior issue
CVE-2017-8393: Fix global buffer over-read error
CVE-2017-8394: Fix invalid read of size 4 due to NULL pointer dereferencing
CVE-2017-8396: Fix invalid read of size 1
CVE-2017-8398: Fix invalid read of size 1 during dumping of debug information
CVE-2017-8421: Fix memory leak vulnerability
CVE-2017-9742: Fix buffer overflow
CVE-2017-9744: Fix buffer overflow
CVE-2017-9747: Fix buffer overflow
CVE-2017-9748: Fix buffer overflow
CVE-2017-9749: Fix buffer overflow
CVE-2017-9753: Fix buffer overflow
CVE-2017-9754: Fix buffer overflow
CVE-2017-12448: Fix use after free
CVE-2017-12449: Fix out of bounds heap read
CVE-2017-12455: Fix out of bounds heap read
CVE-2017-12457: Fix NULL dereference
CVE-2017-12458: Fix out of bounds heap read
CVE-2017-12459: Fix out of bounds heap write
CVE-2017-12450: Fix out of bounds heap write
CVE-2017-12452: Fix out of bounds heap read
CVE-2017-12453: Fix out of bounds heap read
CVE-2017-12454: Fix arbitrary memory read
CVE-2017-12456: Fix out of bounds heap read
CVE-2017-14333: Fix integer overflow, and hang because of a time-consuming loop
CVE-2017-12451: Fix out of bounds stack read
CVE-2017-12799: Fix buffer overflow
CVE-2017-13710: Fix NULL pointer dereference
CVE-2017-14130: Fix _bfd_elf_attr_strdup heap-based buffer over-read
CVE-2017-14932: Fix infinite loop
CVE-2017-14938: Fix excessive memory allocation
CVE-2017-14940: Fix NULL pointer dereference
CVE-2017-15020: Fix parse_die heap-based buffer over-read
CVE-2017-15022: Fix bfd_hash_hash NULL pointer dereference
CVE-2017-15225: Fix divide-by-zero error
CVE-2017-15938: Fix find_abstract_instance_name invalid memory read, segmentation fault
CVE-2017-15939: Fix NULL pointer dereference
CVE-2017-15996: Fix buffer overflow on fuzzed archive header
CVE-2017-16826: Fix invalid memory access
CVE-2017-16827: slurp_symtab invalid free
CVE-2017-16828: Fix integer overflow and heap-based buffer over-read
CVE-2017-16831: Fix integer overflow or excessive memory allocation
CVE-2017-17080: Fix bfd_getl32 heap-based buffer over-read
CVE-2017-17121: Fix memory access violation
CVE-2017-17123: Fix NULL pointer dereference
CVE-2017-17124: Fix excessive memory consumption or heap-based buffer overflow
CVE-2017-17125: Fix buffer over-read
CVE-2018-6323: Fix unsigned integer overflow
CVE-2018-6543: Fix integer overflow
CVE-2018-6759: Fix segmentation fault
CVE-2018-7208: Fix segmentation fault
CVE-2018-7568: Fix integer overflow
CVE-2018-7569: Fix integer underflow or overflow
CVE-2018-7642: Fix aout_32_swap_std_reloc_out NULL pointer dereference
CVE-2018-7643: Fix integer overflow
CVE-2018-8945: Fix segmentation fault
CVE-2018-13033: Fix excessive memory allocation
CVE-2018-10373: Fix NULL pointer dereference
CVE-2018-10535: Fix NULL pointer dereference
CVE-2018-18309: Fix invalid memory address dereference
CVE-2018-18605: Fix mishandles section merges
CVE-2018-18606: Fix NULL pointer dereference
CVE-2018-18607: Fix NULL pointer dereference in elf_link_input_bfd
CVE-2018-19931: Fix heap-based buffer overflow in bfd_elf32_swap_phdr_in
CVE-2018-19932: Fix integer overflow and infinite loop
CVE-2018-20002: Fix memory consumption
CVE-2018-20623: Fix use-after-free in the error function
CVE-2018-20671: Fix integer overflow vulnerability
CVE-2018-1000876: Fix integer overflow trigger heap overflow
CVE-2019-9073: Fix excessive memory allocation
CVE-2019-9075: Fix heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap
CVE-2019-9077: Fix heap-based buffer overflow in process_mips_specific
CVE-2019-12972: Fix heap-based buffer over-read in _bfd_doprnt
CVE-2019-14444: Fix integer overflow
CVE-2019-17450: Fix infinite recursion