GNU Binutils is one of the fundamental packages in a development environment – it includes several different tools for manipulating ELF files, object files, and others that are important in the binary creation process. So finding and fixing issues in it strengthens the whole process and has far-reaching benefits.

In the latest batch of updates released by the Extended Lifecycle Support team for the supported Linux distributions, over 90 CVEs were fixed in GNU Binutils.

CONTENT:

1. The Extended Lifecycle Support user point-of-view
2. At a deeper level
3. Closing thoughts
4. Addendum

THE EXTENDED LIFECYCLE SUPPORT USER POINT OF VIEW

As a service user, you can have the peace of mind of having a dedicated team of experts in security and Linux preparing adequate updates for systems that would otherwise not have any updates available at all.

In this specific instance, binutils is a fundamental package, relied upon by many other tools like development stacks, debuggers, code analysis, and many others, not necessarily development-related tools. So, keeping it secure will directly impact overall system security and stability.

At a deeper level

TuxCare’s Extended Lifecycle Support team is usually busy testing CVE fix code, adapting it to older versions of packages included in the supported Linux distributions, and ensuring that the packages released actually protect users against the vulnerabilities claimed to be addressed. This process is called “backporting”, as it consists of taking a fix that applies to a more recent version of a package and adapting it to work in older versions like the ones present in the Linux distributions covered by ELS. As a result, there is a lot of time spent just eyeballing the code and running tests on it.

When working on CVEs, sometimes the analysis will identify new issues that were overlooked at the time when they were originally addressed. The ELS team always strives to responsibly inform upstream open source projects and contribute the code to these projects. This has the added benefit of improving the security of the IT ecosystem as a whole. Of course, fixes for these new issues are also provided to the ELS users, as the systems they are running are out of original vendor support and would not otherwise receive the fixed code through other means.

One of the latest results of this activity, and already included in the available updates, addresses a total of 92 vulnerabilities in binutils alone. These range from “buffer overflows” to “use after free” issues and have a wide range of CVSS scores – not all of them are critical, but many indeed are.

Being a fundamental package, binutils contains tools used extensively in code analysis, debugging, and linking operations, and are also used by many other third party tools. You don’t have to be doing actual development work in order to have binutils in your system, you probably have it as a dependency for some other application or tool that is deployed. Keeping binutils updated will ensure the correct and secure operation of more than just binutils itself.

In some of these CVEs, the team identified situations where original CVE fixes introduced new issues like undefined behavior or other security issues. These required in-house code development to fix. Such code was then submitted to upstream open source projects, which in turn either accepted and committed it to those projects, or prepared their own code to fix the new reported issues.

An example of this is CVE-2018-7568. The ELS team identified a situation where the code fix originally submitted would cause undefined behavior, and it was reported to the upstream project here.

The issue was spotted by Nikita Popov, a team member while reviewing the changes made to the original CVE fix to ensure it wouldn’t break on older Linux distributions and “played nicely” with the rest of the code.

It turns out that the patch for CVE-2018-7568 includes an unsigned type used as a block length (block_len) counter. When used in expressions like

xptr + block_len < xptr

under the right situations – block_len being unsigned – this could be completely omitted by the compiler that could optimize away this line. This type of expressions are explicitly banned by ISO C standard precisely for this reason, and different compilers, or the same compiler under different architectures/platforms, could approach this situation in different ways, thus causing undefined behavior. The bug report submitted by the team includes a more comprehensive explanation of the problem and the code submission that fixes it.

This was accepted into the upstream code base and is now part of the binutils package moving forward, and it has even already been further refined by other developers. This is a textbook example of how Open Source project development can be done right, and the ELS team is actively working in this space.

A problem with the fix for CVE-2018-12700, which does not seem to prevent the situation it claims to solve and that can still be triggered by our tests, has also been reported upstream and is awaiting clarification.

After the work that has been done in this update to binutils, Pavel Mayorov, another developer working on binutils, commented that “as far as I know, we’ve processed all the existing CVE for binutils… but we are still waiting for an answer regarding the problem with CVE-2018-12700“.

CLOSING THOUGHTS

Keeping older systems updated is a necessary requirement, and not just from a strictly security-related point of view, even if that is important in itself. It is also required to achieve and maintain compliance with several business standards that have stipulations around patching time delays.

By relying on ELS as the source for your security patches and updates, the minutious work carried by the team directly translates into your systems’ security and compliance to requirements and your own peace of mind. As a result, your systems are protected and stable, allowing you to focus on your specific business needs instead.

ADDENDUM

Full list of CVEs covered by the latest binutils update available through Extended Lifecycle Support service, grouped by CVE year.

CVE-2016-2226: Fix integer overflow in the string_appends function in cplus-dem.c

CVE-2016-4487: Fix use-after-free vulnerability in libiberty

CVE-2016-4488: Fix use-after-free vulnerability in libiberty

CVE-2016-4489: Fix integer overflow in libiberty

CVE-2016-4490: Fix integer overflow in cp-demangle.c in libiberty

CVE-2016-4492: Fix buffer overflow in the do_type function in cplus-dem.c in libiberty

CVE-2016-4493: Fix out-of-bounds read in demangle_template_value_parm and do_hpacc_template_literal

CVE-2016-6131: Fix infinite loop, stack overflow

CVE-2017-7223: Fix global buffer overflow (of size 1)

CVE-2017-7224: Fix invalid write (of size 1) while disassembling

CVE-2017-7225: Fix NULL pointer dereference and an invalid write

CVE-2017-7226: Fix heap-based buffer over-read of size 4049

CVE-2017-7227: Fix heap-based buffer overflow

CVE-2017-7299: Fix invalid read (of size 8) in ELF reloc section

CVE-2017-7300: Fix heap-based buffer over-read (off-by-one)

CVE-2017-7301: Fix off-by-one vulnerability

CVE-2017-7302: Fix invalid read (of size 4)

CVE-2017-7614: Fix undefined behavior issue

CVE-2017-8393: Fix global buffer over-read error

CVE-2017-8394: Fix invalid read of size 4 due to NULL pointer dereferencing

CVE-2017-8396: Fix invalid read of size 1

CVE-2017-8398: Fix invalid read of size 1 during dumping of debug information

CVE-2017-8421: Fix memory leak vulnerability

CVE-2017-9742: Fix buffer overflow

CVE-2017-9744: Fix buffer overflow

CVE-2017-9747: Fix buffer overflow

CVE-2017-9748: Fix buffer overflow

CVE-2017-9749: Fix buffer overflow

CVE-2017-9753: Fix buffer overflow

CVE-2017-9754: Fix buffer overflow

CVE-2017-12448: Fix use after free

CVE-2017-12449: Fix out of bounds heap read

CVE-2017-12455: Fix out of bounds heap read

CVE-2017-12457: Fix NULL dereference

CVE-2017-12458: Fix out of bounds heap read

CVE-2017-12459: Fix out of bounds heap write

CVE-2017-12450: Fix out of bounds heap write

CVE-2017-12452: Fix out of bounds heap read

CVE-2017-12453: Fix out of bounds heap read

CVE-2017-12454: Fix arbitrary memory read

CVE-2017-12456: Fix out of bounds heap read

CVE-2017-14333: Fix integer overflow, and hang because of a time-consuming loop

CVE-2017-12451: Fix out of bounds stack read

CVE-2017-12799: Fix buffer overflow

CVE-2017-13710: Fix NULL pointer dereference

CVE-2017-14130: Fix _bfd_elf_attr_strdup heap-based buffer over-read

CVE-2017-14932: Fix infinite loop

CVE-2017-14938: Fix excessive memory allocation

CVE-2017-14940: Fix NULL pointer dereference

CVE-2017-15020: Fix parse_die heap-based buffer over-read

CVE-2017-15022: Fix bfd_hash_hash NULL pointer dereference

CVE-2017-15225: Fix divide-by-zero error

CVE-2017-15938: Fix find_abstract_instance_name invalid memory read, segmentation fault

CVE-2017-15939: Fix NULL pointer dereference

CVE-2017-15996: Fix buffer overflow on fuzzed archive header

CVE-2017-16826: Fix invalid memory access

CVE-2017-16827: slurp_symtab invalid free

CVE-2017-16828: Fix integer overflow and heap-based buffer over-read

CVE-2017-16831: Fix integer overflow or excessive memory allocation

CVE-2017-17080: Fix bfd_getl32 heap-based buffer over-read

CVE-2017-17121: Fix memory access violation

CVE-2017-17123: Fix NULL pointer dereference

CVE-2017-17124: Fix excessive memory consumption or heap-based buffer overflow

CVE-2017-17125: Fix buffer over-read

CVE-2018-6323: Fix unsigned integer overflow

CVE-2018-6543: Fix integer overflow

CVE-2018-6759: Fix segmentation fault

CVE-2018-7208: Fix segmentation fault

CVE-2018-7568: Fix integer overflow

CVE-2018-7569: Fix integer underflow or overflow

CVE-2018-7642: Fix aout_32_swap_std_reloc_out NULL pointer dereference

CVE-2018-7643: Fix integer overflow

CVE-2018-8945: Fix segmentation fault

CVE-2018-13033: Fix excessive memory allocation

CVE-2018-10373: Fix NULL pointer dereference

CVE-2018-10535: Fix NULL pointer dereference

CVE-2018-18309: Fix invalid memory address dereference

CVE-2018-18605: Fix mishandles section merges

CVE-2018-18606: Fix NULL pointer dereference

CVE-2018-18607: Fix NULL pointer dereference in elf_link_input_bfd

CVE-2018-19931: Fix heap-based buffer overflow in bfd_elf32_swap_phdr_in

CVE-2018-19932: Fix integer overflow and infinite loop

CVE-2018-20002: Fix memory consumption

CVE-2018-20623: Fix use-after-free in the error function

CVE-2018-20671: Fix integer overflow vulnerability

CVE-2018-1000876: Fix integer overflow trigger heap overflow

CVE-2019-9073: Fix excessive memory allocation

CVE-2019-9075: Fix heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap

CVE-2019-9077: Fix heap-based buffer overflow in process_mips_specific

CVE-2019-12972: Fix heap-based buffer over-read in _bfd_doprnt

CVE-2019-14444: Fix integer overflow

CVE-2019-17450: Fix infinite recursion