binutils-2.40-3.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12816-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z binutils-2.40-3.1 on GA media These are all security issues fixed in the binutils-2.40-3.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12816 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-0687/ SUSE CVE CVE-2023-0687 page https://www.suse.com/security/cve/CVE-2023-25585/ SUSE CVE CVE-2023-25585 page https://www.suse.com/security/cve/CVE-2023-25587/ SUSE CVE CVE-2023-25587 page https://www.suse.com/security/cve/CVE-2023-25588/ SUSE CVE CVE-2023-25588 page openSUSE Tumbleweed binutils-2.40-3.1 binutils-devel-2.40-3.1 binutils-devel-32bit-2.40-3.1 binutils-gold-2.40-3.1 gprofng-2.40-3.1 libctf-nobfd0-2.40-3.1 libctf0-2.40-3.1 binutils-2.40-3.1 as a component of openSUSE Tumbleweed binutils-devel-2.40-3.1 as a component of openSUSE Tumbleweed binutils-devel-32bit-2.40-3.1 as a component of openSUSE Tumbleweed binutils-gold-2.40-3.1 as a component of openSUSE Tumbleweed gprofng-2.40-3.1 as a component of openSUSE Tumbleweed libctf-nobfd0-2.40-3.1 as a component of openSUSE Tumbleweed libctf0-2.40-3.1 as a component of openSUSE Tumbleweed ** DISPUTED ** A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled. CVE-2023-0687 openSUSE Tumbleweed:binutils-2.40-3.1 openSUSE Tumbleweed:binutils-devel-2.40-3.1 openSUSE Tumbleweed:binutils-devel-32bit-2.40-3.1 openSUSE Tumbleweed:binutils-gold-2.40-3.1 openSUSE Tumbleweed:gprofng-2.40-3.1 openSUSE Tumbleweed:libctf-nobfd0-2.40-3.1 openSUSE Tumbleweed:libctf0-2.40-3.1 low 4 AV:A/AC:H/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-0687.html CVE-2023-0687 https://bugzilla.suse.com/1207975 SUSE Bug 1207975 A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service. CVE-2023-25585 openSUSE Tumbleweed:binutils-2.40-3.1 openSUSE Tumbleweed:binutils-devel-2.40-3.1 openSUSE Tumbleweed:binutils-devel-32bit-2.40-3.1 openSUSE Tumbleweed:binutils-gold-2.40-3.1 openSUSE Tumbleweed:gprofng-2.40-3.1 openSUSE Tumbleweed:libctf-nobfd0-2.40-3.1 openSUSE Tumbleweed:libctf0-2.40-3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-25585.html CVE-2023-25585 https://bugzilla.suse.com/1208040 SUSE Bug 1208040 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2023-25587 openSUSE Tumbleweed:binutils-2.40-3.1 openSUSE Tumbleweed:binutils-devel-2.40-3.1 openSUSE Tumbleweed:binutils-devel-32bit-2.40-3.1 openSUSE Tumbleweed:binutils-gold-2.40-3.1 openSUSE Tumbleweed:gprofng-2.40-3.1 openSUSE Tumbleweed:libctf-nobfd0-2.40-3.1 openSUSE Tumbleweed:libctf0-2.40-3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-25587.html CVE-2023-25587 https://bugzilla.suse.com/1208038 SUSE Bug 1208038 A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service. CVE-2023-25588 openSUSE Tumbleweed:binutils-2.40-3.1 openSUSE Tumbleweed:binutils-devel-2.40-3.1 openSUSE Tumbleweed:binutils-devel-32bit-2.40-3.1 openSUSE Tumbleweed:binutils-gold-2.40-3.1 openSUSE Tumbleweed:gprofng-2.40-3.1 openSUSE Tumbleweed:libctf-nobfd0-2.40-3.1 openSUSE Tumbleweed:libctf0-2.40-3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-25588.html CVE-2023-25588 https://bugzilla.suse.com/1208037 SUSE Bug 1208037