2234013 – (CVE-2022-47673) CVE-2022-47673 binutils: out-of-bounds read in parse_module() in bfd/vms-alpha.c via addr2line

Bug 2234013 (CVE-2022-47673) - CVE-2022-47673 binutils: out-of-bounds read in parse_module() in bfd/vms-alpha.c via addr2line

Summary: CVE-2022-47673 binutils: out-of-bounds read in parse_module() in bfd/vms-alph...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-47673
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2234017 2234018 2234019 2234285 2234286 2234287 2234288 2234289 2234290 2234291 2234292 2234293 2234294 2234295 2234296 2234297 2234298 2234299
Blocks:	2233947
TreeView+	depends on / blocked

Reported:	2023-08-23 21:20 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-11-14 11:29 UTC (History)
CC List:	29 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-09 09:18:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-08-23 21:20:47 UTC

An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=29876

Comment 1 Guilherme de Almeida Suckevicz 2023-08-23 21:24:26 UTC

Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 2234017]


Created gdb tracking bugs for this issue:

Affects: fedora-all [bug 2234018]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 2234019]

Comment 4 Nick Clifton 2023-08-24 13:00:08 UTC

(In reply to Guilherme de Almeida Suckevicz from comment #0)
> An issue was discovered in Binutils addr2line before 2.39.3, function
> parse_module contains multiple out of bound reads which may cause a denial
> of service or other unspecified impacts.

The SECURITY.txt file found in the upstream GNU Binutils sources makes it clear that bug in inspection tools like addr2line are not considered to be security issues, and hence do not qualify for CVE treatment.

Note You need to log in before you can comment on or make changes to this bug.

acrosby
ailan
bdettelb
caswilli
desktop-qa-list
fjansen
fweimer
gdb-bugs
hkataria
jburrell
jmitchel
jsamir
jsherril
jtanner
kaycoth
keiths
kshier
mcermak
mpolacek
mprchlik
nickc
ohudlick
psegedy
rjones
sipoyare
sthirugn
tsasak
virt-maint
vkrizan