CVE-2017-15021

Name of the Vulnerable Software and Affected Versions GNU Binutils version 2.29

Description The issue is related to a buffer over-read in the bfd get debug link info 1 function within the opncls.c component of the Binary File Descriptor (BFD) library, also known as libbfd. This allows a remote attacker to cause a denial of service, resulting in a heap-based buffer over-read and application crash, by using a specially crafted ELF file. The bfd getl32 function is also related to this issue.

Recommendations For GNU Binutils version 2.29, consider updating to a newer version that includes a fix for this issue. As a temporary workaround, restrict the use of the bfd get debug link info 1 function in the opncls.c component until a patch is available. Avoid using the bfd getl32 function with untrusted input to minimize the risk of exploitation.