ALAS-2024-2401

Amazon Linux 2 Security Advisory: ALAS-2024-2401
Advisory Release Date: 2024-01-03 21:04 Pacific
Advisory Updated Date: 2024-01-09 17:51 Pacific
Severity: Medium
Issue Overview:

A memory consumption issue in get_data function in binutils/nm.c in GNU nm before 2.34 allows attackers to cause a denial of service via crafted command. (CVE-2020-19724)

Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37. (CVE-2021-46174)

An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service. (CVE-2022-35205)

An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. (CVE-2022-47007)

An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. (CVE-2022-47008)

An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks. (CVE-2022-47010)

GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack. (CVE-2022-48064)

Potential heap based buffer overflow found in _bfd_elf_slurp_version_tables() in bfd/elf.c. (CVE-2023-1972)


Affected Packages:

binutils


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update binutils to update your system.

New Packages:
aarch64:
    binutils-2.29.1-31.amzn2.0.1.aarch64
    binutils-devel-2.29.1-31.amzn2.0.1.aarch64
    binutils-debuginfo-2.29.1-31.amzn2.0.1.aarch64

i686:
    binutils-2.29.1-31.amzn2.0.1.i686
    binutils-devel-2.29.1-31.amzn2.0.1.i686
    binutils-debuginfo-2.29.1-31.amzn2.0.1.i686

src:
    binutils-2.29.1-31.amzn2.0.1.src

x86_64:
    binutils-2.29.1-31.amzn2.0.1.x86_64
    binutils-devel-2.29.1-31.amzn2.0.1.x86_64
    binutils-debuginfo-2.29.1-31.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2020-19724, CVE-2021-46174, CVE-2022-35205, CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-48064, CVE-2023-1972

Mitre: CVE-2020-19724, CVE-2021-46174, CVE-2022-35205, CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-48064, CVE-2023-1972