While backporting fixes for the binutils package for older Linux distributions covered by Extended Lifecycle Support, the team identified a vulnerability in the way CVE-2018-12699 was originally addressed. This new vulnerability allows for memory corruption and denial of service under specific conditions of binutils functionality, which, in turn, is used by multiple other packages.
The original vulnerability had a 9.8 CVSS (v3) score, and the newly identified vulnerability has been assigned a 7.5 CVSS (v3) score. The latest update of binutils available for service subscribers already includes a proper fix for the underlying issue, and the code was fixed in the upstream open source project after our report.
A HIGH-LEVEL OVERVIEW OF THE RISK
It is possible to cause specific binutils tools to crash due to improper handling of certain types of information. This in turn can trigger failures in other tools or applications that rely on binutils for its operation, such as debuggers, file viewers, etc.
Binutils includes functionality to analyze different types of files, like binary ELF (Linux binary executable files) and files using ELF’s predecessor format, XCOFF. The specific case that triggers this vulnerability lies in the XCOFF functionality. While it is true that this is a relatively old file format which has since been replaced by ELF, the code to handle it is still present in the binutils package.
binutils is a fundamental package in Linux distributions, and even if not using software development tools directly, it is very likely that it is already deployed on production systems as a dependency of other packages. It includes multiple tools to perform tasks like binary file manipulation, linking, assembly and other assorted functionality used heavily in, among others, development and debugging scenarios. Keeping it up-to-date ensures that those applications and core system functionality is kept stable and secure.
A DETAILED LOOK AT THE ISSUES
In the function stab_xcoff_builtin_type, found in the file binutils/stab.c, there is an out-of-bounds write into the array ‘info-xcoff_types’ that happens when a specific typenum is passed (-34). This causes the write operation to overwrite the adjacent field ‘info->tags’ at line 3668.
In turn, this will lead to a segmentation fault error when calling the function finish_stab.
CVE-2021-45078 was requested and assigned for the new issue, and received a 7.5 CVSS (v3) score. As it is very recent, it is not impossible for this score to be altered as the situation is further analyzed by other developers. The original CVE-2018-12699 that addressed a similar situation elsewhere in the code and missed it in this specific code was assigned a 9.8 score (out of 10), so it is recognized that causing binutils to crash is a very serious situation that requires caution.
“They [the upstream project team] have a huge list of CVEs covered with a single patch that should have addressed all of the situations, but it didn’t actually fix all cases”, explains Pavel Mayorov, the team member backporting fixes for binutils that spotted the missing fix. “The patch doesn’t touch all the places in the source code that could trigger this”. It is also uncommon for a single patch to cover multiple CVEs, and it may have been the case that something was overlooked.
The complete report can be found here and includes proof-of-concept code that triggers the issue.
This vulnerability comes from an incomplete fix of CVE-2018-12699, that missed some cases that could trigger the issue. The reported situation was solved by other project developers after our report was submitted, and thus the issue will be solved on any binutils version going forward. It was also fixed on older Linux distributions that are out of original vendor support but covered by Extended Lifecycle Support Services, and those systems also have the fixed version available through the usual update channel.