Security update for binutils

Announcement ID: SUSE-SU-2019:2650-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2018-1000876 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  • CVE-2018-1000876 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-1000876 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-17358 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-17358 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-17359 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-17359 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-17360 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-17360 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-17985 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-17985 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-18309 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-18309 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-18483 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-18483 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-18484 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-18484 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-18605 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • CVE-2018-18605 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-18606 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-18606 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-18607 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-18607 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-19931 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-19931 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-19931 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-19932 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-19932 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20623 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2018-20623 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20651 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-20651 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20671 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-20671 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2019-1010180 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
  • CVE-2019-1010180 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-1010180 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
  • HPE Helion OpenStack 8
  • SUSE Enterprise Storage 4
  • SUSE Enterprise Storage 5
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise Desktop 12 SP5
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Software Development Kit 12 SP4
  • SUSE Linux Enterprise Software Development Kit 12 SP5
  • SUSE OpenStack Cloud 7
  • SUSE OpenStack Cloud 8
  • SUSE OpenStack Cloud Crowbar 8

An update that solves 17 vulnerabilities, contains two features and has three security fixes can now be installed.

Description:

This update for binutils fixes the following issues:

binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:

Includes the following security fixes:

  • CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
  • CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
  • CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
  • CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
  • CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
  • CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
  • CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
  • CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
  • CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
  • CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
  • CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
  • CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
  • CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
  • CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
  • CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
  • CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)

  • CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)

  • Enable xtensa architecture (Tensilica lc6 and related)

  • Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913).
  • Fixed some LTO problems (bsc#1133131 bsc#1133232).
  • riscv: Don't check ABI flags if no code section

Update to binutils 2.32:

  • The binutils now support for the C-SKY processor series.
  • The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes.
  • The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE.
  • The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary.
  • Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function.
  • The BFD linker will now report property change in linker map file when merging GNU properties.
  • The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report.

  • The GOLD linker has improved warning messages for relocations that refer to discarded sections.

  • Improve relro support on s390 [fate#326356]

  • Handle ELF compressed header alignment correctly.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • HPE Helion OpenStack 8
    zypper in -t patch HPE-Helion-OpenStack-8-2019-2650=1
  • SUSE OpenStack Cloud 7
    zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2650=1
  • SUSE OpenStack Cloud 8
    zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2650=1
  • SUSE OpenStack Cloud Crowbar 8
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2650=1
  • SUSE Linux Enterprise Desktop 12 SP4
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2650=1
  • SUSE Linux Enterprise Desktop 12 SP5
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP5-2019-2650=1
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
    zypper in -t patch SUSE-SLE-POS-12-SP2-CLIENT-2019-2650=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2650=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2650=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
    zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2650=1
  • SUSE Linux Enterprise Software Development Kit 12 SP4
    zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2650=1
  • SUSE Linux Enterprise Software Development Kit 12 SP5
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2650=1
  • SUSE Linux Enterprise High Performance Computing 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2650=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2650=1
  • SUSE Linux Enterprise High Performance Computing 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2650=1
  • SUSE Linux Enterprise Server 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2650=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2650=1
  • SUSE Enterprise Storage 4
    zypper in -t patch SUSE-Storage-4-2019-2650=1
  • SUSE Enterprise Storage 5
    zypper in -t patch SUSE-Storage-5-2019-2650=1

Package List:

  • HPE Helion OpenStack 8 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE OpenStack Cloud 7 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE OpenStack Cloud 8 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE OpenStack Cloud Crowbar 8 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Desktop 12 SP4 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Desktop 12 SP5 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Software Development Kit 12 SP4 (aarch64 ppc64le s390x x86_64)
    • cross-ppc-binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • cross-ppc-binutils-debuginfo-2.32-9.33.1
    • cross-spu-binutils-2.32-9.33.1
    • cross-spu-binutils-debuginfo-2.32-9.33.1
    • binutils-debuginfo-2.32-9.33.1
    • binutils-gold-debuginfo-2.32-9.33.1
    • cross-ppc-binutils-2.32-9.33.1
    • cross-spu-binutils-debugsource-2.32-9.33.1
    • binutils-gold-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
  • SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
    • cross-ppc-binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • cross-ppc-binutils-debuginfo-2.32-9.33.1
    • cross-spu-binutils-2.32-9.33.1
    • cross-spu-binutils-debuginfo-2.32-9.33.1
    • binutils-debuginfo-2.32-9.33.1
    • binutils-gold-debuginfo-2.32-9.33.1
    • cross-ppc-binutils-2.32-9.33.1
    • cross-spu-binutils-debugsource-2.32-9.33.1
    • binutils-gold-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (ppc64le s390x x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-devel-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 (aarch64 x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 (aarch64 ppc64le s390x x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise High Performance Computing 12 SP4 (aarch64 x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server 12 SP4 (aarch64 ppc64le s390x x86_64)
    • binutils-debuginfo-2.32-9.33.1
    • binutils-debugsource-2.32-9.33.1
    • binutils-2.32-9.33.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
    • binutils-debuginfo-2.32-9.33.1