Oracle Linux 8 : binutils (ELSA-2020-1797)

medium Nessus Plugin ID 180901

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1797 advisory.

[2.30-73.0.1]
- Forward-port of Oracle patches from 2.30-68.0.2.
- Reviewed-by: Elena Zannoni <[email protected]>

[2.30-68.0.2]
- Backport the non-cycle-detecting-capable deduplicating CTF linker
- Backport a fix for an upstream hashtab crash (no upstream bug number), triggered by the above.
- Fix deduplication of ambiguously-named types in CTF.
- CTF types without names are not ambiguously-named.
- Stop the CTF_LINK_EMPTY_CU_MAPPINGS flag crashing.
- Only emit ambiguous types as hidden if they are named and there is already a type with that name.
- Make sure completely empty dicts get their header written out properly
- Do not fail if adding anonymous struct/union members to structs/unions that already contain other anonymous members at a different offset
- Correctly look up pointers to non-root-visible structures
- Emit error messages in dumping into the dump stream
- Do not abort early on dump-time errors
- Elide likely duplicates (same name, same kind) within a single TU (cross- TU duplicate/ambiguous-type detection works as before).
- Fix linking of the CTF variable section
- Fix spurious conflicts of variables (also affects the nondeduplicating linker)
- Defend against CUs without names
- When linking only a single input file, set the output CTF CU name to the name of the input
- Support cv-qualified bitfields
- Fix off-by-one error in SHA-1 sizing

[2.30-73]
- Remove bogus assertion. (#1801879)

[2.30-72]
- Allow the BFD library to handle the copying of files containing secondary reloc sections. (#1801879)

[2.30-68.0.1]
- Ensure 8-byte alignment for AArch64 stubs.
- Add CTF support to OL8: CTF machinery, including libctf.so and libctf-nonbfd.so. The linker does not yet deduplicate the CTF type section.
- Backport of fix for upstream bug 23919, required by above
- [Orabug: 30102938] [Orabug: 30102941]

[2.30-71]
- Fix a potential seg-fault in the BFD library when parsing pathalogical debug_info sections. (#1779245)
- Fix a potential memory exhaustion in the BFD library when parsing corrupt DWARF debug information.

[2.30-70]
- Re-enable strip merging build notes. (#1777760)

[2.30-69]
- Fix linker testsuite failures triggered by annobin update.

[2.30-68]
- Backport H.J.Lus patch to add a workaround for the JCC Errata to the assembler. (#1777002)

[2.30-67]
- Fix a buffer overrun in the note merging code. (#1774507)

[2.30-66]
- Fix a seg-fault in gold when linking corrupt input files. (#1739254)

[2.30-65]
- NVR bump to allow rebuild with reverted version of glibc in the buildroot.

[2.30-64]
- Stop note merging with no effect from creating null filled note sections.

[2.30-63]
- Stop objcopy from generating a exit failure status when merging corrupt notes.

[2.30-62]
- Fix binutils testsuite failure introduced by -60 patch. (#1767711)

[2.30-61]
- Enable threading in the GOLD linker. (#1729225)
- Add check to readelf in order to prevent an integer overflow.

[2.30-60]
- Add support for SVE Vector PCS on AArch64. (#1726637)
- Add fixes for coverity test failures.
- Improve objcopys ability to merge GNU build attribute notes.

[2.30-59]
- Stop the linker from merging groups with different settings of the SHF_EXCLUDE flag. (#1730906)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected binutils and / or binutils-devel packages.

See Also

https://linux.oracle.com/errata/ELSA-2020-1797.html

Plugin Details

Severity: Medium

ID: 180901

File Name: oraclelinux_ELSA-2020-1797.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/7/2023

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2019-17451

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:binutils-devel, p-cpe:/a:oracle:linux:binutils, cpe:/o:oracle:linux:8

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/5/2020

Vulnerability Publication Date: 10/12/2018

Reference Information

CVE: CVE-2019-1010204, CVE-2019-17451