Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3013 USN-6101-1: GNU binutils vulnerabilities 25 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: binutils Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2023-25588 CVE-2023-25586 CVE-2023-25585 CVE-2023-25584 CVE-2023-1972 CVE-2023-1579 Original Bulletin: https://ubuntu.com/security/notices/USN-6101-1 Comment: CVSS (Max): 7.8 CVE-2023-1579 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: [NVD], Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- USN-6101-1: GNU binutils vulnerabilities 24 May 2023 Several security issues were fixed in GNU binutils. Releases o Ubuntu 23.04 o Ubuntu 22.10 o Ubuntu 22.04 LTS o Ubuntu 20.04 LTS o Ubuntu 18.04 ESM o Ubuntu 16.04 ESM o Ubuntu 14.04 ESM Packages o binutils - GNU assembler, linker and binary utilities Details It was discovered that GNU binutils incorrectly handled certain DWARF files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 22.10. ( CVE-2023-1579 ) It was discovered that GNU binutils did not properly verify the version definitions in zer0-lengthverdef table. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu 23.04. ( CVE-2023-1972 ) It was discovered that GNU binutils did not properly validate the size of length parameter in vms-alpha. An attacker could possibly use this issue to cause a crash or access sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10. ( CVE-2023-25584 ) It was discovered that GNU binutils did not properly initialized the file_table field of struct module and the_bfd field of asymbol. An attacker could possibly use this issue to cause a crash. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. ( CVE-2023-25585 , CVE-2023-25586 ) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04 o binutils-multiarch - 2.40-2ubuntu4.1 o binutils - 2.40-2ubuntu4.1 Ubuntu 22.10 o binutils-multiarch - 2.39-3ubuntu1.2 o binutils - 2.39-3ubuntu1.2 Ubuntu 22.04 o binutils-multiarch - 2.38-4ubuntu2.2 o binutils - 2.38-4ubuntu2.2 Ubuntu 20.04 o binutils-multiarch - 2.34-6ubuntu1.5 o binutils - 2.34-6ubuntu1.5 Ubuntu 18.04 o binutils-multiarch - 2.30-21ubuntu1~18.04.9 o binutils - 2.30-21ubuntu1~18.04.9 Ubuntu 16.04 o binutils-multiarch - 2.26.1-1ubuntu1~16.04.8+esm6 Available with Ubuntu Pro o binutils - 2.26.1-1ubuntu1~16.04.8+esm6 Available with Ubuntu Pro Ubuntu 14.04 o binutils-multiarch - 2.24-5ubuntu14.2+esm1 Available with Ubuntu Pro o binutils - 2.24-5ubuntu14.2+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References o CVE-2023-1972 o CVE-2023-25588 o CVE-2023-25585 o CVE-2023-25584 o CVE-2023-1579 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZG6wcckNZI30y1K9AQhGWA//XSdlFFrZItfO8GmniGEElaTGUfq0+PDD zb9pb6acOdep2tswPIjLyWXM//Gt/es0sJX0rZTajRhPBYlK5eAmh85a9t+7pCM/ vTU/X3oya3rjP/6fW87p3Cwt6vUYP9yONvmeO+MXrVPMSSTr/B2MncL7Po/aaSpd 387iIr2vyuNFkc3gk9p3C/aX9cPQS8BohWruDXAws5k7NE2NhYoRDGa0KfttuAtE 3IRyhItE6Jlp8Uj5msrc/dxFMC4CuMieVXf7xWDNnN0Ipzjs8NomctLWqWRlB2GT oGyLGj4QToNAisBqEN8Svak9eAR60jO5BZSaykCJaBtty1qjDS6xoFdms/S01b0y 2q0Cui0uO2CEfKdYX9r1quNv7ao9c9YxVtuokWLKEP9biZiffgMhCsHn/5b5CkMa x3Q5b2SmWSFwOYJ+hiqec6imL/7CNsAS8ocB1P8Gt9XENKMeSPNpEuWoJbTpHBwA KPQ3WkCUSVxRAnapF/lOOtzh08RGj0YUc07sEedmg1NlGamWmJtKFch45vKbj7Ex vVULIYyGhpjSwNxnyg8bCcp84prBnoupVcbYZu/Ta37qC3yz5yzmPpmVvlDnDZzN NTQsN0Da+WiVmHe7GfytVN57nL8gBAppMNYdP17v3zhXnFA57RirRGUY3mR5AxmE NsO/PsspX/Y= =eZE+ -----END PGP SIGNATURE-----