USN-6544-1: GNU binutils vulnerabilities
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 22.04
Description
It was discovered that GNU binutils incorrectly handled certain COFF files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2022-38533) It was discovered that GNU binutils was not properly performing bounds checks in several functions, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-4285, CVE-2020-19726, CVE-2021-46174) It was discovered that GNU binutils contained a reachable assertion, which could lead to an intentional assertion failure when processing certain crafted DWARF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-35205) Update Instructions: Run `sudo pro fix USN-6544-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: binutils-dev – 2.34-6ubuntu1.7 binutils-arm-linux-gnueabihf – 2.34-6ubuntu1.7 binutils-hppa64-linux-gnu – 2.34-6ubuntu1.7 binutils-ia64-linux-gnu – 2.34-6ubuntu1.7 binutils-multiarch – 2.34-6ubuntu1.7 binutils-x86-64-kfreebsd-gnu – 2.34-6ubuntu1.7 binutils-riscv64-linux-gnu – 2.34-6ubuntu1.7 binutils-m68k-linux-gnu – 2.34-6ubuntu1.7 binutils-for-build – 2.34-6ubuntu1.7 binutils-s390x-linux-gnu – 2.34-6ubuntu1.7 binutils-x86-64-linux-gnu – 2.34-6ubuntu1.7 binutils-multiarch-dev – 2.34-6ubuntu1.7 binutils-i686-gnu – 2.34-6ubuntu1.7 libctf-nobfd0 – 2.34-6ubuntu1.7 binutils-for-host – 2.34-6ubuntu1.7 binutils-doc – 2.34-6ubuntu1.7 binutils-sh4-linux-gnu – 2.34-6ubuntu1.7 binutils-aarch64-linux-gnu – 2.34-6ubuntu1.7 libctf0 – 2.34-6ubuntu1.7 binutils-source – 2.34-6ubuntu1.7 binutils-i686-linux-gnu – 2.34-6ubuntu1.7 binutils-common – 2.34-6ubuntu1.7 binutils-x86-64-linux-gnux32 – 2.34-6ubuntu1.7 binutils-i686-kfreebsd-gnu – 2.34-6ubuntu1.7 binutils-powerpc64le-linux-gnu – 2.34-6ubuntu1.7 binutils-powerpc64-linux-gnu – 2.34-6ubuntu1.7 binutils-hppa-linux-gnu – 2.34-6ubuntu1.7 binutils-sparc64-linux-gnu – 2.34-6ubuntu1.7 libbinutils – 2.34-6ubuntu1.7 binutils-arm-linux-gnueabi – 2.34-6ubuntu1.7 binutils-alpha-linux-gnu – 2.34-6ubuntu1.7 binutils-powerpc-linux-gnu – 2.34-6ubuntu1.7 binutils – 2.34-6ubuntu1.7 No subscription required
CVEs contained in this USN include: CVE-2022-38533, CVE-2020-19726, CVE-2021-46174, CVE-2022-35205, CVE-2022-4285.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- cflinuxfs4
- All versions prior to 1.59.0
- Jammy Stemcells
- 1.x versions prior to 1.327
- All other stemcells not listed.
- CF Deployment
- All versions with Jammy Stemcells prior to 1.327
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- cflinuxfs4
- Upgrade all versions to 1.59.0 or greater
- Jammy Stemcells
- Upgrade 1.x versions to 1.327 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
- CF Deployment
- For all versions, upgrade Jammy Stemcells to 1.327 or greater
History
2024-04-04: Initial vulnerability report published.
