Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2940
binutils security and bug fix update
7 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: binutils
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000876 CVE-2018-12697 CVE-2018-12641
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:2075
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running binutils check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: binutils security and bug fix update
Advisory ID: RHSA-2019:2075-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2075
Issue date: 2019-08-06
CVE Names: CVE-2018-12641 CVE-2018-12697 CVE-2018-1000876
=====================================================================
1. Summary:
An update for binutils is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
The binutils packages provide a collection of binary utilities for the
manipulation of object code in various object file formats. It includes the
ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings,
strip, and addr2line utilities.
Security Fix(es):
* binutils: integer overflow leads to heap-based buffer overflow in objdump
(CVE-2018-1000876)
* binutils: Stack Exhaustion in the demangling functions provided by
libiberty (CVE-2018-12641)
* binutils: NULL pointer dereference in work_stuff_copy_to_from in
cplus-dem.c. (CVE-2018-12697)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.7 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1594410 - CVE-2018-12641 binutils: Stack Exhaustion in the demangling functions provided by libiberty
1595417 - CVE-2018-12697 binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.
1624776 - binutils: ld removes some R_X86_64_JUMP_SLOT relocations
1652587 - Add support for the .attach_to_group pseudo-op to the assembler
1664699 - CVE-2018-1000876 binutils: integer overflow leads to heap-based buffer overflow in objdump
1670014 - binutils: Enable gold linker on all architectures with upstream implementation
1699745 - Failed ld plt-main/pltgot test cases
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
binutils-2.27-41.base.el7.src.rpm
x86_64:
binutils-2.27-41.base.el7.x86_64.rpm
binutils-debuginfo-2.27-41.base.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
binutils-debuginfo-2.27-41.base.el7.i686.rpm
binutils-debuginfo-2.27-41.base.el7.x86_64.rpm
binutils-devel-2.27-41.base.el7.i686.rpm
binutils-devel-2.27-41.base.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
binutils-2.27-41.base.el7.src.rpm
x86_64:
binutils-2.27-41.base.el7.x86_64.rpm
binutils-debuginfo-2.27-41.base.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
binutils-debuginfo-2.27-41.base.el7.i686.rpm
binutils-debuginfo-2.27-41.base.el7.x86_64.rpm
binutils-devel-2.27-41.base.el7.i686.rpm
binutils-devel-2.27-41.base.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
binutils-2.27-41.base.el7.src.rpm
ppc64:
binutils-2.27-41.base.el7.ppc64.rpm
binutils-debuginfo-2.27-41.base.el7.ppc.rpm
binutils-debuginfo-2.27-41.base.el7.ppc64.rpm
binutils-devel-2.27-41.base.el7.ppc.rpm
binutils-devel-2.27-41.base.el7.ppc64.rpm
ppc64le:
binutils-2.27-41.base.el7.ppc64le.rpm
binutils-debuginfo-2.27-41.base.el7.ppc64le.rpm
binutils-devel-2.27-41.base.el7.ppc64le.rpm
s390x:
binutils-2.27-41.base.el7.s390x.rpm
binutils-debuginfo-2.27-41.base.el7.s390.rpm
binutils-debuginfo-2.27-41.base.el7.s390x.rpm
binutils-devel-2.27-41.base.el7.s390.rpm
binutils-devel-2.27-41.base.el7.s390x.rpm
x86_64:
binutils-2.27-41.base.el7.x86_64.rpm
binutils-debuginfo-2.27-41.base.el7.i686.rpm
binutils-debuginfo-2.27-41.base.el7.x86_64.rpm
binutils-devel-2.27-41.base.el7.i686.rpm
binutils-devel-2.27-41.base.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
binutils-2.27-41.base.el7.src.rpm
x86_64:
binutils-2.27-41.base.el7.x86_64.rpm
binutils-debuginfo-2.27-41.base.el7.i686.rpm
binutils-debuginfo-2.27-41.base.el7.x86_64.rpm
binutils-devel-2.27-41.base.el7.i686.rpm
binutils-devel-2.27-41.base.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-12641
https://access.redhat.com/security/cve/CVE-2018-12697
https://access.redhat.com/security/cve/CVE-2018-1000876
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXUl2L9zjgjWX9erEAQgfRRAAigIkgy2H1Sory9p1hoy1FtS22QkMs9Yp
MinmLkh4B+Et04n2UeKnxYB2Bzd2jH1VioHfFPv7Z/KwHlZM9Ophc9EFC61ARUfz
Xfjpk2JiqMZTF77p5A43hje/0ooecRU/bumSIo482OBKDIdExX6EInHPr23Rw3ro
rNQqHlrf1pivG2fU4k+Qj4QWN1D2GzRwTy/cJw/Myx32Chqy99OcyS5g8JqEcFfF
WFEtiDvzIYhG9mfFvaOJSJJldi0gQj9ZsEPcOLxN2dd+P5DzM61ZKI8/2+0dtO6E
q3ZHfwypwusOKw/z/kOuMXIoKKSe7tHntzs2q0QZPN/2xd5NgBWEo4GpuYYPNyvz
QfJTnR9IcVmoajGjjqqNA8KCOGyfOy0+HNYk5V/HB5a2Na7nB7bKctBUNRwDwmaq
tML+2ALIoOnPpCzqSijiOqIzZ4GGMdmmvFlnhMSlJvvDocYRxPShocIC/DpxxFf8
D04KRVkRiO9+5w5rQY2KatPoY5NVVKi67lBYg7NS/iY+cop/zKwU7ut8op/0h3Kd
CtsTAjZutJ58i3BDqb6yjlF+RpBiuvIwWsXDULpbSWv3MzVN9zq8aqMzjeiFqPod
7iHDKKuI+wPYUnnAZvSbeNiXQ3lcpXSnrFKTGXzJnVqN5ckOebIdAOAjysSALaFi
4PUiYmp57yI=
=l8De
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUpHbmaOgq3Tt24GAQgxmA//bejewHWkXv0OdtCCi3PzxAQuYdlOtpsh
neMdwDS7rV112hFnAcZhyGu2rU9p61Eotpu2o1HrHElfOhAD3fHy1X6NjiMz9T3Y
fOmoXgqLjpX3adldJmrYqt0tVt3fDoIB4meFl6RDa2EDeXXEvYtB6WjN+X6W2HN6
oxLg66PopX6Mvh8gAnrBWzhkvsSn/4xS8YUMXVtauiD9o9cvQflFcL7+j0hBjQGr
PS6I+SrKjAR0k5n2PiLJvI9q7Mw8BDKCuRnNmJTp5NNwlsr9b5Y+utiOoEYQdSJ3
C5DclGZ4ihbpU/OL2TcEE9nVOvyHpg6aJHyovjkFFCszbWngLi77bUlJ0sYDALyI
peZYu8xA84+XA1zxSzwv4epS+BzTah1A0RVS4lJ5YedJGKBCtwYcffasVY09NNoD
tnUVja94MMFQj9dpvc3LyXDKXKOC1OEw31KhgS+vH66B6JbxlzmxHDQApRbcQy0d
jbklIfJrh0yygb6DGp6HfxU8QWmAqWUTBfg5b4Lg/n+9ZwbkPFw+Vab92j+EkEC+
X3NlMFMPNGlCjOp/coS6N0iHk8d4GCwmoaVfrkwSmOfPwIBeZvZNAiE/6p+y4AIs
1SeX9yIlhbk3VB46re3LUOCP2i9P00noCLhmUvVDEIrHBnHlUN2cMTMIAdAlEKzD
mBYiWQcJCyY=
=xObD
-----END PGP SIGNATURE-----