ID

VAR-202101-0564


CVE

CVE-2020-35493


TITLE

binutils  Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-017191

DESCRIPTION

A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34. binutils There are input validation vulnerabilities, heap-based buffer overflow vulnerabilities, and out-of-bounds read vulnerabilities.Service operation interruption (DoS) It may be in a state. GNU Binutils (GNU Binary Utilities or binutils) is a set of programming language tool programs developed by the GNU community. The program is primarily designed to handle object files in various formats and provides linkers, assemblers, and other tools for object files and archives. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Binutils: Multiple vulnerabilities Date: July 10, 2021 Bugs: #678806, #761957, #764170 ID: 202107-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Binutils, the worst of which could result in a Denial of Service condition. Background ========== The GNU Binutils are a collection of tools to create, modify and analyse binary files. Many of the files use BFD, the Binary File Descriptor library, to do low-level manipulation. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/binutils < 2.35.2 >= 2.35.2 Description =========== Multiple vulnerabilities have been discovered in Binutils. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Binutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.35.2" References ========== [ 1 ] CVE-2019-9070 https://nvd.nist.gov/vuln/detail/CVE-2019-9070 [ 2 ] CVE-2019-9071 https://nvd.nist.gov/vuln/detail/CVE-2019-9071 [ 3 ] CVE-2019-9072 https://nvd.nist.gov/vuln/detail/CVE-2019-9072 [ 4 ] CVE-2019-9073 https://nvd.nist.gov/vuln/detail/CVE-2019-9073 [ 5 ] CVE-2019-9074 https://nvd.nist.gov/vuln/detail/CVE-2019-9074 [ 6 ] CVE-2019-9075 https://nvd.nist.gov/vuln/detail/CVE-2019-9075 [ 7 ] CVE-2019-9076 https://nvd.nist.gov/vuln/detail/CVE-2019-9076 [ 8 ] CVE-2019-9077 https://nvd.nist.gov/vuln/detail/CVE-2019-9077 [ 9 ] CVE-2020-19599 https://nvd.nist.gov/vuln/detail/CVE-2020-19599 [ 10 ] CVE-2020-35448 https://nvd.nist.gov/vuln/detail/CVE-2020-35448 [ 11 ] CVE-2020-35493 https://nvd.nist.gov/vuln/detail/CVE-2020-35493 [ 12 ] CVE-2020-35494 https://nvd.nist.gov/vuln/detail/CVE-2020-35494 [ 13 ] CVE-2020-35495 https://nvd.nist.gov/vuln/detail/CVE-2020-35495 [ 14 ] CVE-2020-35496 https://nvd.nist.gov/vuln/detail/CVE-2020-35496 [ 15 ] CVE-2020-35507 https://nvd.nist.gov/vuln/detail/CVE-2020-35507 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-24 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.89

sources: NVD: CVE-2020-35493 // JVNDB: JVNDB-2020-017191 // VULHUB: VHN-377689 // VULMON: CVE-2020-35493 // PACKETSTORM: 163455

AFFECTED PRODUCTS

vendor:netappmodel:solidfire \& hci management nodescope:eqversion: -

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:netappmodel:ontap select deploy administration utilityscope:eqversion: -

Trust: 1.0

vendor:netappmodel:hci compute nodescope:eqversion: -

Trust: 1.0

vendor:netappmodel:solidfire\, enterprise sds \& hci storage nodescope:eqversion: -

Trust: 1.0

vendor:gnumodel:binutilsscope:ltversion:2.34

Trust: 1.0

vendor:netappmodel:cloud backupscope:eqversion: -

Trust: 1.0

vendor:broadcommodel:brocade fabric operating systemscope:eqversion: -

Trust: 1.0

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:netappmodel:hci compute nodescope: - version: -

Trust: 0.8

vendor:netappmodel:ontap select deploy administration utilityscope: - version: -

Trust: 0.8

vendor:netappmodel:hci management nodescope: - version: -

Trust: 0.8

vendor:netappmodel:solidfirescope: - version: -

Trust: 0.8

vendor:gnumodel:binutilsscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-017191 // NVD: CVE-2020-35493

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-35493
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-35493
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202101-099
value: MEDIUM

Trust: 0.6

VULHUB: VHN-377689
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-35493
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-35493
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-377689
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-35493
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-35493
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-377689 // VULMON: CVE-2020-35493 // JVNDB: JVNDB-2020-017191 // CNNVD: CNNVD-202101-099 // NVD: CVE-2020-35493

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.1

problemtype:Heap-based buffer overflow (CWE-122) [ others ]

Trust: 0.8

problemtype: Out-of-bounds read (CWE-125) [ others ]

Trust: 0.8

problemtype: Inappropriate input confirmation (CWE-20) [ others ]

Trust: 0.8

problemtype:CWE-122

Trust: 0.1

problemtype:CWE-125

Trust: 0.1

sources: VULHUB: VHN-377689 // JVNDB: JVNDB-2020-017191 // NVD: CVE-2020-35493

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202101-099

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202101-099

PATCH

title:Bug 25307 NetAppNetApp Advisoryurl:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KOK3QWSVOUJWJ54HVGIFWNLWQ5ZY4S6/

Trust: 0.8

title:GNU binutils Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=138354

Trust: 0.6

title: - url:https://github.com/vincent-deng/veracode-container-security-finding-parser

Trust: 0.1

sources: VULMON: CVE-2020-35493 // JVNDB: JVNDB-2020-017191 // CNNVD: CNNVD-202101-099

EXTERNAL IDS

db:NVDid:CVE-2020-35493

Trust: 3.5

db:PACKETSTORMid:163455

Trust: 0.8

db:JVNDBid:JVNDB-2020-017191

Trust: 0.8

db:CNNVDid:CNNVD-202101-099

Trust: 0.7

db:AUSCERTid:ESB-2021.3660

Trust: 0.6

db:VULHUBid:VHN-377689

Trust: 0.1

db:VULMONid:CVE-2020-35493

Trust: 0.1

sources: VULHUB: VHN-377689 // VULMON: CVE-2020-35493 // JVNDB: JVNDB-2020-017191 // PACKETSTORM: 163455 // CNNVD: CNNVD-202101-099 // NVD: CVE-2020-35493

REFERENCES

url:https://bugzilla.redhat.com/show_bug.cgi?id=1911437

Trust: 2.6

url:https://security.gentoo.org/glsa/202107-24

Trust: 1.9

url:https://security.netapp.com/advisory/ntap-20210212-0007/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-35493

Trust: 1.5

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4kok3qwsvoujwj54hvgifwnlwq5zy4s6/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4kok3qwsvoujwj54hvgifwnlwq5zy4s6/

Trust: 0.8

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-analytics/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3660

Trust: 0.6

url:https://vigilance.fr/vulnerability/binutils-buffer-overflow-via-bfd-pef-parse-function-stub-34252

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-analytics-for-nps/

Trust: 0.6

url:https://packetstormsecurity.com/files/163455/gentoo-linux-security-advisory-202107-24.html

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-performance-server/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/20.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/122.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2020-35493

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35495

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-19599

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9071

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9077

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9073

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9072

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35448

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9074

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35507

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9070

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35496

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9076

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-9075

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35494

Trust: 0.1

sources: VULHUB: VHN-377689 // VULMON: CVE-2020-35493 // JVNDB: JVNDB-2020-017191 // PACKETSTORM: 163455 // CNNVD: CNNVD-202101-099 // NVD: CVE-2020-35493

CREDITS

Gentoo

Trust: 0.1

sources: PACKETSTORM: 163455

SOURCES

db:VULHUBid:VHN-377689
db:VULMONid:CVE-2020-35493
db:JVNDBid:JVNDB-2020-017191
db:PACKETSTORMid:163455
db:CNNVDid:CNNVD-202101-099
db:NVDid:CVE-2020-35493

LAST UPDATE DATE

2024-08-14T13:12:18.855000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-377689date:2022-09-02T00:00:00
db:VULMONid:CVE-2020-35493date:2022-09-02T00:00:00
db:JVNDBid:JVNDB-2020-017191date:2022-06-29T05:11:00
db:CNNVDid:CNNVD-202101-099date:2022-09-05T00:00:00
db:NVDid:CVE-2020-35493date:2023-11-07T03:21:55.440

SOURCES RELEASE DATE

db:VULHUBid:VHN-377689date:2021-01-04T00:00:00
db:VULMONid:CVE-2020-35493date:2021-01-04T00:00:00
db:JVNDBid:JVNDB-2020-017191date:2022-06-29T00:00:00
db:PACKETSTORMid:163455date:2021-07-11T12:01:11
db:CNNVDid:CNNVD-202101-099date:2021-01-04T00:00:00
db:NVDid:CVE-2020-35493date:2021-01-04T15:15:12.777