SB20230918101 - Ubuntu update for binutils

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20230918101

SB20230918101 - Ubuntu update for binutils

Published: September 18, 2023

Security Bulletin ID SB20230918101
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 38% Low 63%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2020-19724)

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak. A local user can force the application to leak memory and perform denial of service attack.


2) Memory leak (CVE-ID: CVE-2020-21490)

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak. A local user can force the application to leak memory and perform denial of service attack.


3) Buffer overflow (CVE-ID: CVE-2020-19726)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in libbfd.c when handling the auxiliary symbol data. A remote attacker can trick the victim to pass specially crafted data to the application and perform a denial of service (DoS) attack.


4) Out-of-bounds write (CVE-ID: CVE-2021-46174)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the bfd_getl32() function in objdump. A remote attacker can trick the victim to pass specially crfated input to the application, trigger an out-of-bounds write error and perform a denial of service attack.


5) Heap-based buffer overflow (CVE-ID: CVE-2022-45703)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the display_debug_section() function in readelf.c. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Improper Initialization (CVE-ID: CVE-2020-35342)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to GNU Binutils has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c). A remote attacker can run a specially crafted application to execute arbitrary code with escalated privileges on the system.


7) Heap-based buffer overflow (CVE-ID: CVE-2022-44840)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the find_section_in_set() function in readelf.c. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Input validation error (CVE-ID: CVE-2022-47695)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the bfd_mach_o_get_synthetic_symtab() function in match-o.c in objdump. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References