{ "threat_severity" : "Moderate", "public_date" : "2018-12-16T00:00:00Z", "bugzilla" : { "description" : "binutils: integer overflow leads to heap-based buffer overflow in objdump", "id" : "1664699", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1664699" }, "cvss3" : { "cvss3_base_score" : "4.0", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f." ], "statement" : "The issue is classified as moderate severity primarily because of the unlikelihood of running a 32bit compiled objdump and/or having a compiled binary that uses 32bit compiled binutils libraries to analyze binaries from a not trusted source. Moreover, binutils does not handle privileged operations, meaning exploitation is unlikely to lead to system compromise or escalation of privileges. Additionally, the impact is localized to the application itself, without affecting the broader system or network security. \nAs per upstream binutils security policy this issue is not considered as a security flaw. Basically the key element of the policy that affects this is the understanding that analysis of untrusted binaries must always be done in a sandbox because the ELF format is open ended enough to make the analysis tools do anything, like including and processing arbitrary files. This eliminates the only possible vulnerability vector here, which is the possibility of a user being tricked into downloading and analyzing an untrusted ELF without sandboxing.\nSee the binutils security policy for more details:\nhttps://sourceware.org/cgit/binutils-gdb/tree/binutils/SECURITY.txt", "affected_release" : [ { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-34/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-35/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-08-06T00:00:00Z", "advisory" : "RHSA-2019:2075", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "binutils-0:2.27-41.base.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "binutils", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "binutils", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "binutils", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "mingw-binutils", "cpe" : "cpe:/o:redhat:enterprise_linux:8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1000876\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000876" ], "name" : "CVE-2018-1000876", "csaw" : false }