SB2018092308 - Multiple vulnerabilities in GNU Binutils

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2018-17359)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.

2) Input validation error (CVE-ID: CVE-2018-17360)

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PE file.

Remediation

Install update from vendor's website.

References

• http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html
• http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html
• https://sourceware.org/bugzilla/show_bug.cgi?id=23686
• https://usn.ubuntu.com/4336-1/
• https://sourceware.org/bugzilla/show_bug.cgi?id=23685