SB2017042529 - NULL pointer dereference in binutils (Alpine package)
Published: April 25, 2017
Security Bulletin ID
SB2017042529
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2017-7614)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0ac897cc91d6e616423895be89c09150f908c874
- https://git.alpinelinux.org/aports/commit/?id=1699ed48b80a1f0550e3af4983727d83f9594e26
- https://git.alpinelinux.org/aports/commit/?id=30e67c63dba1de11cfe9a7af61304af3e00a3eff
- https://git.alpinelinux.org/aports/commit/?id=3c0b2ef21e436d6895ad412d2d1aeb568b95db50
- https://git.alpinelinux.org/aports/commit/?id=55858ef24e4e1f0e4aef26149bc6f73d72a4e536
- https://git.alpinelinux.org/aports/commit/?id=a64b11f0247784a8e364cd711948b487b5887832