Security Bulletin: Multiple vulnerabilities in GNU binutils affect IBM Netezza Analytics

Summary

GNU binutils is used by IBM Netezza Analytics. IBM Netezza Analytics has addressed the applicable CVEs by upgrading GNU binutils to latest version 2.35.

Vulnerability Details

CVEID:CVE-2020-35495
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the bfd_pef_parse_symbols function in bfd/pef.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194213 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-35496
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the bfd_pef_scan_start_address() of bfd/pef.c. in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194210 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-35493
**DESCRIPTION:**GNU Binutils is vulnerable a heap-based buffer overflow, caused by improper bounds checking in bfd_pef_parse_function_stubs in bfd/pef.c. By persuading a victim to open a specially crafted file, a remote attacker could overflow a buffer to cause an out-of-bounds read, leading to a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194222 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-35507
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by NULL pointer dereference in the bfd_pef_parse_function_stubs of bfd/pef.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194206 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-35494
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by the usage of uninitialized memory in /opcodes/tic4x-dis.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194221 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

CVEID:CVE-2019-14250
**DESCRIPTION:**GNU Binutils is vulnerable to a heap-based buffer overflow, caused by an integer overflow in simple_object_elf_match in simple-object-elf.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164245 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-18309
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an invalid memory address dereference in the read_reloc function in reloc.c in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151272 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2018-20712
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read flaw in the d_expression_1 function in cp-demangle.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155560 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-17358
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an invalid memory access in _bfd_stab_section_find_nearest_line in syms.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150341 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-17359
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an invalid memory access in bfd_zalloc in opncls.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150340 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-17360
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read in bfd_getl32 in libbfd.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150339 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-18700
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a stack consumption in cp-demangle.c in GNU libiberty. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152134 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-19932
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an integer overflow in the IS_CONTAINED_BY_LMA function in elf.c in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154007 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-19931
**DESCRIPTION:**GNU Binutils is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the bfd_elf32_swap_phdr_in function in elfcode.h in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154006 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-17794
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference in the cplus-dem.c in GNU libiberty. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150692 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-17985
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a stack-based buffer overflow in the cplus_demangle_type function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a stack consumption.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150934 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-12972
**DESCRIPTION:**GNU binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read in the bfd_doprnt in bfd.c of libbfd. By using a specially-crafted file, a local attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166630 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-18605
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a heap-based buffer over-read in the function sec_merge_hash_lookup in merge.c in the in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151866 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-18606
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference in the merge_strings function in merge.c in the in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151865 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-18607
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference in the elf_link_input_bfd in elflink.c in the in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151863 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-20002
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a memory leak in the _bfd_generic_read_minisymbols function in syms.c in libbfd. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154100 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-20671
**DESCRIPTION:**GNU Binutils is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the load_specific_debug_section function in objdump.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155167 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-18701
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a stack consumption in cp-demangle.c in GNU libiberty. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152133 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-1000876
**DESCRIPTION:**GNU Binutils is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc. By using a specially-crafted file, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/154802 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-18484
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a n error in the C++ demangling functions in cp-demangle.c in GNU libiberty. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available stack resources.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151736 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-16599
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference vulnerability in _bfd_elf_get_symbol_version_string (nm-new) in Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192886 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-16592
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a use-after-free vulnerability in bfd_hash_lookup (nm-new) in Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192896 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-16590
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a double free vulnerability in process_symbol_table in Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192876 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-16593
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference vulnerability in scan_unit_for_symbols (addr2line) in Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192895 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-16591
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an invalid read in process_symbol_table in Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192875 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-17450
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an infinite recursion in find_abstract_instance in dwarf2.c in inary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169075 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-17451
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by an integer overflow in _bfd_dwarf2_find_nearest_line in dwarf2.c in inary File Descriptor (BFD) library (aka libbfd). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169072 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

None