Details of VAR-201902-0876

ID

VAR-201902-0876

CVE

CVE-2019-9075

TITLE

GNU Binutils Buffer error vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-001998 // CNNVD: CNNVD-201902-849

DESCRIPTION

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c. GNU Binutils Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GNU Binutils is prone to multiple denial-of-service vulnerabilities and a heap-based buffer-overflow vulnerability Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in denial-of-service conditions. Binutils 2.32 is vulnerable; other versions may also be vulnerable. The program is primarily designed to handle object files in various formats and provides linkers, assemblers, and other tools for object files and archives. An attacker could exploit this vulnerability to execute code or cause a denial of service. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Binutils: Multiple vulnerabilities Date: July 10, 2021 Bugs: #678806, #761957, #764170 ID: 202107-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Binutils, the worst of which could result in a Denial of Service condition. Background ========== The GNU Binutils are a collection of tools to create, modify and analyse binary files. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/binutils < 2.35.2 >= 2.35.2 Description =========== Multiple vulnerabilities have been discovered in Binutils. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Binutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.35.2" References ========== [ 1 ] CVE-2019-9070 https://nvd.nist.gov/vuln/detail/CVE-2019-9070 [ 2 ] CVE-2019-9071 https://nvd.nist.gov/vuln/detail/CVE-2019-9071 [ 3 ] CVE-2019-9072 https://nvd.nist.gov/vuln/detail/CVE-2019-9072 [ 4 ] CVE-2019-9073 https://nvd.nist.gov/vuln/detail/CVE-2019-9073 [ 5 ] CVE-2019-9074 https://nvd.nist.gov/vuln/detail/CVE-2019-9074 [ 6 ] CVE-2019-9075 https://nvd.nist.gov/vuln/detail/CVE-2019-9075 [ 7 ] CVE-2019-9076 https://nvd.nist.gov/vuln/detail/CVE-2019-9076 [ 8 ] CVE-2019-9077 https://nvd.nist.gov/vuln/detail/CVE-2019-9077 [ 9 ] CVE-2020-19599 https://nvd.nist.gov/vuln/detail/CVE-2020-19599 [ 10 ] CVE-2020-35448 https://nvd.nist.gov/vuln/detail/CVE-2020-35448 [ 11 ] CVE-2020-35493 https://nvd.nist.gov/vuln/detail/CVE-2020-35493 [ 12 ] CVE-2020-35494 https://nvd.nist.gov/vuln/detail/CVE-2020-35494 [ 13 ] CVE-2020-35495 https://nvd.nist.gov/vuln/detail/CVE-2020-35495 [ 14 ] CVE-2020-35496 https://nvd.nist.gov/vuln/detail/CVE-2020-35496 [ 15 ] CVE-2020-35507 https://nvd.nist.gov/vuln/detail/CVE-2020-35507 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-24 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.07

sources: NVD: CVE-2019-9075 // JVNDB: JVNDB-2019-001998 // BID: 107412 // VULHUB: VHN-160510 // PACKETSTORM: 163455

AFFECTED PRODUCTS

vendor:	gnu	model:	binutils	scope:	eq	version:	2.32	Trust: 1.3
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	netapp	model:	hci management node	scope:	eq	version:	-	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy webaccelerator	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	netapp	model:	solidfire	scope:	eq	version:	-	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	gnu	model:	binutils	scope:	-	version:	-	Trust: 0.8
vendor:	netapp	model:	element software	scope:	-	version:	-	Trust: 0.8

sources: BID: 107412 // JVNDB: JVNDB-2019-001998 // NVD: CVE-2019-9075

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-9075
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-9075
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201902-849
value:	HIGH
Trust: 0.6
VULHUB:	VHN-160510
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-9075
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-160510
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-9075
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-9075
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-160510 // JVNDB: JVNDB-2019-001998 // CNNVD: CNNVD-201902-849 // NVD: CVE-2019-9075

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.1
problemtype:	CWE-119	Trust: 0.9

sources: VULHUB: VHN-160510 // JVNDB: JVNDB-2019-001998 // NVD: CVE-2019-9075

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201902-849

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201902-849

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001998

PATCH

title:	NTAP-20190314-0003	url:	https://security.netapp.com/advisory/ntap-20190314-0003/	Trust: 0.8
title:	Bug 24236	url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24236	Trust: 0.8
title:	GNU Binutils Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89628	Trust: 0.6

sources: JVNDB: JVNDB-2019-001998 // CNNVD: CNNVD-201902-849

EXTERNAL IDS

db:	NVD	id:	CVE-2019-9075	Trust: 2.9
db:	BID	id:	107412	Trust: 0.9
db:	PACKETSTORM	id:	163455	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-001998	Trust: 0.8
db:	CNNVD	id:	CNNVD-201902-849	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.3660	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2483	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4225	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.1860	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1400	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3723	Trust: 0.6
db:	VULHUB	id:	VHN-160510	Trust: 0.1

sources: VULHUB: VHN-160510 // BID: 107412 // JVNDB: JVNDB-2019-001998 // PACKETSTORM: 163455 // CNNVD: CNNVD-201902-849 // NVD: CVE-2019-9075

REFERENCES

url:	https://support.f5.com/csp/article/k42059040	Trust: 2.3
url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24236	Trust: 2.0
url:	https://security.gentoo.org/glsa/202107-24	Trust: 1.8
url:	https://security.netapp.com/advisory/ntap-20190314-0003/	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00078.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00004.html	Trust: 1.7
url:	https://usn.ubuntu.com/4336-1/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9075	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9075	Trust: 0.8
url:	https://support.f5.com/csp/article/k09092524	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1400/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3723/	Trust: 0.6
url:	http://www.securityfocus.com/bid/107412	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.4225/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-platform-software-clients/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2483	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3660	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.1860/	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/1143448	Trust: 0.6
url:	https://vigilance.fr/vulnerability/binutils-buffer-overflow-via-bfd-archive-64-bit-slurp-armap-29405	Trust: 0.6
url:	https://packetstormsecurity.com/files/163455/gentoo-linux-security-advisory-202107-24.html	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-performance-server/	Trust: 0.6
url:	http://www.gnu.org	Trust: 0.3
url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24232	Trust: 0.3
url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24233	Trust: 0.3
url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24235	Trust: 0.3
url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24237	Trust: 0.3
url:	https://sourceware.org/bugzilla/show_bug.cgi?id=24238	Trust: 0.3
url:	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89396	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35495	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-19599	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9071	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9077	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35493	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9073	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9072	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35448	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9074	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35507	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9070	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35496	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9076	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35494	Trust: 0.1

sources: VULHUB: VHN-160510 // BID: 107412 // JVNDB: JVNDB-2019-001998 // PACKETSTORM: 163455 // CNNVD: CNNVD-201902-849 // NVD: CVE-2019-9075

CREDITS

spinpx

Trust: 0.9

sources: BID: 107412 // CNNVD: CNNVD-201902-849

SOURCES

db:	VULHUB	id:	VHN-160510
db:	BID	id:	107412
db:	JVNDB	id:	JVNDB-2019-001998
db:	PACKETSTORM	id:	163455
db:	CNNVD	id:	CNNVD-201902-849
db:	NVD	id:	CVE-2019-9075

LAST UPDATE DATE

2024-11-23T21:03:48.343000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-160510	date:	2021-12-10T00:00:00
db:	BID	id:	107412	date:	2019-02-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-001998	date:	2019-04-01T00:00:00
db:	CNNVD	id:	CNNVD-201902-849	date:	2021-12-13T00:00:00
db:	NVD	id:	CVE-2019-9075	date:	2024-11-21T04:50:56.187

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-160510	date:	2019-02-24T00:00:00
db:	BID	id:	107412	date:	2019-02-23T00:00:00
db:	JVNDB	id:	JVNDB-2019-001998	date:	2019-04-01T00:00:00
db:	PACKETSTORM	id:	163455	date:	2021-07-11T12:01:11
db:	CNNVD	id:	CNNVD-201902-849	date:	2019-02-23T00:00:00
db:	NVD	id:	CVE-2019-9075	date:	2019-02-24T00:29:00.500