SB2022032315 - Ubuntu update for binutils

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2017-17122)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which. A remote attacker can use a crafted PE file. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Input validation error (CVE-ID: CVE-2021-3487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the BFD library in binutils. A remote attacker who supplies a crafted file to an application linked with BFD can use the DWARF functionality to perform a denial of service (DoS) attack.

3) Out-of-bounds write (CVE-ID: CVE-2021-45078)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in stab_xcoff_builtin_type() function in stabs.c. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Note, the vulnerability exists due to incorrect patch for #VU13471 (CVE-2018-12699).

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-5341-1