Sign-up

ID

VAR-201902-0875


CVE

CVE-2019-9077


TITLE

GNU Binutils Buffer error vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-002000 // CNNVD: CNNVD-201902-850

DESCRIPTION

An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section. GNU Binutils Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GNU Binutils is prone to a heap-based buffer-overflow vulnerability. Attackers can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed. The program is primarily designed to handle object files in various formats and provides linkers, assemblers, and other tools for object files and archives. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Binutils: Multiple vulnerabilities Date: July 10, 2021 Bugs: #678806, #761957, #764170 ID: 202107-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Binutils, the worst of which could result in a Denial of Service condition. Background ========== The GNU Binutils are a collection of tools to create, modify and analyse binary files. Many of the files use BFD, the Binary File Descriptor library, to do low-level manipulation. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Binutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.35.2" References ========== [ 1 ] CVE-2019-9070 https://nvd.nist.gov/vuln/detail/CVE-2019-9070 [ 2 ] CVE-2019-9071 https://nvd.nist.gov/vuln/detail/CVE-2019-9071 [ 3 ] CVE-2019-9072 https://nvd.nist.gov/vuln/detail/CVE-2019-9072 [ 4 ] CVE-2019-9073 https://nvd.nist.gov/vuln/detail/CVE-2019-9073 [ 5 ] CVE-2019-9074 https://nvd.nist.gov/vuln/detail/CVE-2019-9074 [ 6 ] CVE-2019-9075 https://nvd.nist.gov/vuln/detail/CVE-2019-9075 [ 7 ] CVE-2019-9076 https://nvd.nist.gov/vuln/detail/CVE-2019-9076 [ 8 ] CVE-2019-9077 https://nvd.nist.gov/vuln/detail/CVE-2019-9077 [ 9 ] CVE-2020-19599 https://nvd.nist.gov/vuln/detail/CVE-2020-19599 [ 10 ] CVE-2020-35448 https://nvd.nist.gov/vuln/detail/CVE-2020-35448 [ 11 ] CVE-2020-35493 https://nvd.nist.gov/vuln/detail/CVE-2020-35493 [ 12 ] CVE-2020-35494 https://nvd.nist.gov/vuln/detail/CVE-2020-35494 [ 13 ] CVE-2020-35495 https://nvd.nist.gov/vuln/detail/CVE-2020-35495 [ 14 ] CVE-2020-35496 https://nvd.nist.gov/vuln/detail/CVE-2020-35496 [ 15 ] CVE-2020-35507 https://nvd.nist.gov/vuln/detail/CVE-2020-35507 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-24 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.16

sources: NVD: CVE-2019-9077 // JVNDB: JVNDB-2019-002000 // BID: 107139 // VULHUB: VHN-160512 // VULMON: CVE-2019-9077 // PACKETSTORM: 163455

AFFECTED PRODUCTS

vendor:gnumodel:binutilsscope:eqversion:2.32

Trust: 1.3

vendor:netappmodel:element softwarescope:eqversion: -

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.04

Trust: 1.0

vendor:f5model:traffix signaling delivery controllerscope:lteversion:5.1.0

Trust: 1.0

vendor:f5model:traffix signaling delivery controllerscope:gteversion:5.0.0

Trust: 1.0

vendor:gnumodel:binutilsscope: - version: -

Trust: 0.8

vendor:netappmodel:element softwarescope: - version: -

Trust: 0.8

sources: BID: 107139 // JVNDB: JVNDB-2019-002000 // NVD: CVE-2019-9077

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-9077
value: HIGH

Trust: 1.0

NVD: CVE-2019-9077
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-850
value: HIGH

Trust: 0.6

VULHUB: VHN-160512
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-9077
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-9077
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-160512
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-9077
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-9077
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-160512 // VULMON: CVE-2019-9077 // JVNDB: JVNDB-2019-002000 // CNNVD: CNNVD-201902-850 // NVD: CVE-2019-9077

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-119

Trust: 0.9

sources: VULHUB: VHN-160512 // JVNDB: JVNDB-2019-002000 // NVD: CVE-2019-9077

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201902-850

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201902-850

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002000

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-160512

PATCH
title:NTAP-20190314-0003url:https://security.netapp.com/advisory/ntap-20190314-0003/
Trust: 0.8
title:Bug 24243url:https://sourceware.org/bugzilla/show_bug.cgi?id=24243
Trust: 0.8
title:GNU Binutils Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89629
Trust: 0.6
title:Red Hat: CVE-2019-9077url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2019-9077
Trust: 0.1
title:Ubuntu Security Notice: binutils vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4336-1
Trust: 0.1
title: - url:https://github.com/yuntongzhang/vulnfix 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-9077 // 
            
            
            
            JVNDB: JVNDB-2019-002000 // 
            
            
            
            CNNVD: CNNVD-201902-850

EXTERNAL IDS
db:NVDid:CVE-2019-9077
Trust: 3.0
db:BIDid:107139
Trust: 2.1
db:PACKETSTORMid:163455
Trust: 0.8
db:JVNDBid:JVNDB-2019-002000
Trust: 0.8
db:CNNVDid:CNNVD-201902-850
Trust: 0.7
db:AUSCERTid:ESB-2020.1400
Trust: 0.6
db:AUSCERTid:ESB-2021.3660
Trust: 0.6
db:AUSCERTid:ESB-2020.3723
Trust: 0.6
db:AUSCERTid:ESB-2021.2483
Trust: 0.6
db:AUSCERTid:ESB-2020.4225
Trust: 0.6
db:AUSCERTid:ESB-2019.2371
Trust: 0.6
db:NSFOCUSid:43672
Trust: 0.6
db:VULHUBid:VHN-160512
Trust: 0.1
db:VULMONid:CVE-2019-9077
Trust: 0.1
sources:
            
            
            VULHUB: VHN-160512 // 
            
            
            
            VULMON: CVE-2019-9077 // 
            
            
            
            BID: 107139 // 
            
            
            
            JVNDB: JVNDB-2019-002000 // 
            
            
            
            PACKETSTORM: 163455 // 
            
            
            
            CNNVD: CNNVD-201902-850 // 
            
            
            
            NVD: CVE-2019-9077

REFERENCES
url:http://www.securityfocus.com/bid/107139
Trust: 3.1
url:https://support.f5.com/csp/article/k00056379
Trust: 2.4
url:https://sourceware.org/bugzilla/show_bug.cgi?id=24243
Trust: 2.1
url:https://security.gentoo.org/glsa/202107-24
Trust: 1.9
url:https://usn.ubuntu.com/4336-1/
Trust: 1.9
url:https://security.netapp.com/advisory/ntap-20190314-0003/
Trust: 1.8
url:http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00078.html
Trust: 1.8
url:http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00004.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-9077
Trust: 1.5
url:https://www.gnu.org/software/binutils/
Trust: 0.9
url:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9077
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1400/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.3723/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2021.2483
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2021.3660
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.2371/
Trust: 0.6
url:https://www.ibm.com/support/pages/node/1143448
Trust: 0.6
url:https://vigilance.fr/vulnerability/binutils-buffer-overflow-via-process-mips-specific-29415
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.4225/
Trust: 0.6
url:https://packetstormsecurity.com/files/163455/gentoo-linux-security-advisory-202107-24.html
Trust: 0.6
url:http://www.nsfocus.net/vulndb/43672
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/787.html
Trust: 0.1
url:https://github.com/yuntongzhang/vulnfix
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://access.redhat.com/security/cve/cve-2019-9077
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-35495
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-19599
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9071
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-35493
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9073
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9072
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-35448
Trust: 0.1
url:https://security.gentoo.org/
Trust: 0.1
url:https://creativecommons.org/licenses/by-sa/2.5
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9074
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-35507
Trust: 0.1
url:https://bugs.gentoo.org.
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9070
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-35496
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9076
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-9075
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-35494
Trust: 0.1
sources:
            
            
            VULHUB: VHN-160512 // 
            
            
            
            VULMON: CVE-2019-9077 // 
            
            
            
            BID: 107139 // 
            
            
            
            JVNDB: JVNDB-2019-002000 // 
            
            
            
            PACKETSTORM: 163455 // 
            
            
            
            CNNVD: CNNVD-201902-850 // 
            
            
            
            NVD: CVE-2019-9077

CREDITS
spinpx
Trust: 0.9
sources:
            
            
            BID: 107139 // 
            
            
            
            CNNVD: CNNVD-201902-850

SOURCES
db:VULHUBid:VHN-160512
db:VULMONid:CVE-2019-9077
db:BIDid:107139
db:JVNDBid:JVNDB-2019-002000
db:PACKETSTORMid:163455
db:CNNVDid:CNNVD-201902-850
db:NVDid:CVE-2019-9077

LAST UPDATE DATE
2024-11-23T20:20:31.262000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-160512date:2021-12-10T00:00:00
db:VULMONid:CVE-2019-9077date:2021-12-10T00:00:00
db:BIDid:107139date:2019-02-23T00:00:00
db:JVNDBid:JVNDB-2019-002000date:2019-04-01T00:00:00
db:CNNVDid:CNNVD-201902-850date:2021-12-13T00:00:00
db:NVDid:CVE-2019-9077date:2024-11-21T04:50:56.487

SOURCES RELEASE DATE
db:VULHUBid:VHN-160512date:2019-02-24T00:00:00
db:VULMONid:CVE-2019-9077date:2019-02-24T00:00:00
db:BIDid:107139date:2019-02-23T00:00:00
db:JVNDBid:JVNDB-2019-002000date:2019-04-01T00:00:00
db:PACKETSTORMid:163455date:2021-07-11T12:01:11
db:CNNVDid:CNNVD-201902-850date:2019-02-23T00:00:00
db:NVDid:CVE-2019-9077date:2019-02-24T00:29:00.597