CVE-2020-35507: Null Pointer Dereference
First published: Wed Dec 30 2020(Updated: )
GNU Binutils before 2.34 has a NULL pointer dereference in bfd_pef_parse_function_stubs function in bfd/pef.c due to not checking return value of bfd_malloc. This bug allows attackers to cause a denial of service. Reference: <a href="https://sourceware.org/bugzilla/show_bug.cgi?id=25308">https://sourceware.org/bugzilla/show_bug.cgi?id=25308</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/binutils | <2.34 | 2.34 |
| GNU Binutils | <2.34 | |
| Redhat Enterprise Linux | =8.0 | |
| IBM Cloud Pak for Business Automation | ||
| Netapp Hci Compute Node | ||
| Netapp Cloud Backup | ||
| NetApp ONTAP Select Deploy administration utility | ||
| IBM Cloud Pak for Business Automation | ||
| Netapp Solidfire \& Hci Management Node | ||
| Broadcom Brocade Fabric Operating System |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1911691
- https://security.gentoo.org/glsa/202107-24
- https://security.netapp.com/advisory/ntap-20210212-0007/
- https://sourceware.org/bugzilla/show_bug.cgi?id=25308
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1911694
- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a0fb7be96e0ce79e1ae429bc1ba913e5244d537
Frequently Asked Questions
What is CVE-2020-35507?
CVE-2020-35507 is a vulnerability in the bfd_pef_parse_function_stubs function of the binutils package in versions prior to 2.34.
What is the severity of CVE-2020-35507?
The severity of CVE-2020-35507 is medium, with a severity value of 5.5.
What software is affected by CVE-2020-35507?
The binutils package versions prior to 2.34 are affected, as well as Redhat Enterprise Linux 8.0, GNU Binutils, Netapp HCI Compute Node Firmware, Netapp Cloud Backup, NetApp ONTAP Select Deploy administration utility, Netapp Solidfire, Enterprise Sds & Hci Storage Node, and Broadcom Brocade Fabric Operating System.
How can an attacker exploit CVE-2020-35507?
An attacker can exploit CVE-2020-35507 by submitting a crafted file to be processed by objdump, which can cause a NULL pointer dereference.
Is there a fix available for CVE-2020-35507?
Yes, the vulnerability can be fixed by updating the binutils package to version 2.34 or newer.
- agent/type
- agent/first-publish-date
- agent/references
- agent/severity
- agent/author
- agent/remedy
- agent/description
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-35507
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/event
- vendor/gnu
- canonical/gnu binutils
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/netapp
- canonical/netapp hci compute node firmware
- canonical/netapp hci compute node
- canonical/netapp cloud backup
- canonical/netapp ontap select deploy administration utility
- canonical/netapp solidfire\, enterprise sds \& hci storage node
- canonical/netapp solidfire \& hci management node
- vendor/broadcom
- canonical/broadcom brocade fabric operating system
- package-manager/redhat