Bug 1206080 (CVE-2022-4285) - VUL-1: CVE-2022-4285: binutils: NULL pointer dereference in _bfd_elf_get_symbol_version_string leads to segfault
Summary: VUL-1: CVE-2022-4285: binutils: NULL pointer dereference in _bfd_elf_get_symb...
Status: CONFIRMED
Alias: CVE-2022-4285
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Michael Matz
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/349762/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-4285:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-06 08:24 UTC by Thomas Leroy
Modified: 2023-09-27 20:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Leroy 2022-12-06 08:26:58 UTC 
Should be afffected:
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15:Update

Michael, could you please include this fix in the next binutils release? :)
Comment 2 Michael Matz 2022-12-08 13:23:31 UTC 
How unfortunate timing that is :-/  The current cycle is just finished.
Either way, I'll queue this one, yes.  But one remark: I believe that
SUSE:SLE-15:Update is not active anymore, only 15-SP1.  Can you confirm?
(At least I haven't version-upped binutils in that one this cycle anymore)
Comment 3 Thomas Leroy 2022-12-08 13:29:44 UTC 
(In reply to Michael Matz from comment #2)
> How unfortunate timing that is :-/  The current cycle is just finished.

Then it will be for next cycle...

> Either way, I'll queue this one, yes.  But one remark: I believe that
> SUSE:SLE-15:Update is not active anymore, only 15-SP1.  Can you confirm?
> (At least I haven't version-upped binutils in that one this cycle anymore)

Indeed SUSE:SLE-15:Update only contains LTSS channels, so if CVSS < 7.0 no need to submit, sorry :)
Comment 5 Brahmajit Das 2023-09-07 06:49:52 UTC 
I've a L3 ticket for this CVE fix on SLE12-SP5. The upstream commit did apply cleanly (minor tweaks were needed in the ChangeLog file).

@Michael Matz can you please review my work at https://build.suse.de/project/show/PTF:26827?
Comment 6 Michael Matz 2023-09-07 12:25:48 UTC 
(In reply to Brahmajit Das from comment #5)
> I've a L3 ticket for this CVE fix on SLE12-SP5. The upstream commit did
> apply cleanly (minor tweaks were needed in the ChangeLog file).
> 
> @Michael Matz can you please review my work at
> https://build.suse.de/project/show/PTF:26827?

Looks correct.  You have to decide for yourself if it's really a good idea, though. 
The next version update (due later this month) will ignore that work including
the changelog L3 marker entries at which point you may or may not have to update
the PTF to not confuse customers.

Do note that upstream doesn't consider this a security issue (but as a normal bug
on invalid input) and hence it doesn't qualify for normal CVE treatment.
This might influence your decision regarding it qualifying for L3 PTFs.
Comment 8 Brahmajit Das 2023-09-18 18:53:30 UTC 
@Michael Matz,

Is binutils in SLE11-SP3 affected by CVE-2022-4285? 

I tried looking through binutils-2.23.1 source and couldn't find an exact match for the removed line in the file bfd/elf.c
Comment 9 Maintenance Automation 2023-09-20 08:30:01 UTC 
SUSE-SU-2023:3695-1: An update that solves 20 vulnerabilities, contains two features and has three security fixes can now be installed.

Category: security (important)
Bug References: 1200962, 1206080, 1206556, 1208037, 1208038, 1208040, 1208409, 1209642, 1210297, 1210733, 1213282, 1213458, 1214565, 1214567, 1214579, 1214580, 1214604, 1214611, 1214619, 1214620, 1214623, 1214624, 1214625
CVE References: CVE-2020-19726, CVE-2021-32256, CVE-2022-35205, CVE-2022-35206, CVE-2022-4285, CVE-2022-44840, CVE-2022-45703, CVE-2022-47673, CVE-2022-47695, CVE-2022-47696, CVE-2022-48063, CVE-2022-48064, CVE-2022-48065, CVE-2023-0687, CVE-2023-1579, CVE-2023-1972, CVE-2023-2222, CVE-2023-25585, CVE-2023-25587, CVE-2023-25588
Jira References: PED-1435, PED-5778
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): binutils-2.41-9.53.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): binutils-2.41-9.53.1
SUSE Linux Enterprise Server 12 SP5 (src): binutils-2.41-9.53.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): binutils-2.41-9.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Michael Matz 2023-09-27 12:25:13 UTC 
(In reply to Brahmajit Das from comment #8)
> @Michael Matz,
> 
> Is binutils in SLE11-SP3 affected by CVE-2022-4285? 

I don't know.  Possibly not, as the immediate cause for this problem was a fix
to CVE-2020-16599 which binutils 2.23 doesn't have.

> I tried looking through binutils-2.23.1 source and couldn't find an exact
> match for the removed line in the file bfd/elf.c

Yes, the code is quite different.  Do note that binutils 2.23 suffers from _many_ of these fuzzing bugs that invalidly were translated into CVEs.  I would suggest
to not even start looking for them.

Neither the upstream security policy nor our own SUSE policy regarding binutils support these bugs getting CVE treatment, they are simple bugs in inspection tools
on invalid (!) input.  We don't do updates for the SLE-11 line of binutils for
them, and neither should such be done for PTFs or to fulfill L3 requests.  The latter should be rejected and closed with the appropriate comments mentioning the
above.  The danger of introducing _real_ bugs (as in affecting valid input) by
backporting fixes for imaginary bugs over a long time range to different code is far too large.
Comment 11 Maintenance Automation 2023-09-27 20:31:11 UTC 
SUSE-SU-2023:3825-1: An update that solves 20 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (important)
Bug References: 1200962, 1206080, 1206556, 1208037, 1208038, 1208040, 1208409, 1209642, 1210297, 1210733, 1213458, 1214565, 1214567, 1214579, 1214580, 1214604, 1214611, 1214619, 1214620, 1214623, 1214624, 1214625
CVE References: CVE-2020-19726, CVE-2021-32256, CVE-2022-35205, CVE-2022-35206, CVE-2022-4285, CVE-2022-44840, CVE-2022-45703, CVE-2022-47673, CVE-2022-47695, CVE-2022-47696, CVE-2022-48063, CVE-2022-48064, CVE-2022-48065, CVE-2023-0687, CVE-2023-1579, CVE-2023-1972, CVE-2023-2222, CVE-2023-25585, CVE-2023-25587, CVE-2023-25588
Jira References: PED-5778
Sources used:
openSUSE Leap 15.5 (src): cross-s390x-binutils-2.41-150100.7.46.1, cross-ia64-binutils-2.41-150100.7.46.1, cross-m68k-binutils-2.41-150100.7.46.1, cross-avr-binutils-2.41-150100.7.46.1, cross-hppa-binutils-2.41-150100.7.46.1, cross-sparc64-binutils-2.41-150100.7.46.1, cross-i386-binutils-2.41-150100.7.46.1, cross-xtensa-binutils-2.41-150100.7.46.1, cross-ppc-binutils-2.41-150100.7.46.1, cross-ppc64le-binutils-2.41-150100.7.46.1, cross-epiphany-binutils-2.41-150100.7.46.1, cross-riscv64-binutils-2.41-150100.7.46.1, cross-aarch64-binutils-2.41-150100.7.46.1, cross-hppa64-binutils-2.41-150100.7.46.1, cross-rx-binutils-2.41-150100.7.46.1, cross-ppc64-binutils-2.41-150100.7.46.1, cross-x86_64-binutils-2.41-150100.7.46.1, cross-spu-binutils-2.41-150100.7.46.1, cross-arm-binutils-2.41-150100.7.46.1, binutils-2.41-150100.7.46.1, cross-s390-binutils-2.41-150100.7.46.1, cross-sparc-binutils-2.41-150100.7.46.1, cross-mips-binutils-2.41-150100.7.46.1
Basesystem Module 15-SP4 (src): binutils-2.41-150100.7.46.1
Basesystem Module 15-SP5 (src): binutils-2.41-150100.7.46.1
Development Tools Module 15-SP4 (src): binutils-2.41-150100.7.46.1
Development Tools Module 15-SP5 (src): binutils-2.41-150100.7.46.1
SUSE Package Hub 15 15-SP4 (src): binutils-2.41-150100.7.46.1
SUSE Package Hub 15 15-SP5 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): binutils-2.41-150100.7.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): binutils-2.41-150100.7.46.1
SUSE Manager Proxy 4.2 (src): binutils-2.41-150100.7.46.1
SUSE Manager Retail Branch Server 4.2 (src): binutils-2.41-150100.7.46.1
SUSE Manager Server 4.2 (src): binutils-2.41-150100.7.46.1
SUSE Enterprise Storage 7.1 (src): binutils-2.41-150100.7.46.1
SUSE CaaS Platform 4.0 (src): binutils-2.41-150100.7.46.1
openSUSE Leap 15.4 (src): binutils-2.41-150100.7.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.