Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function     read_and_display_attr_value in file dwarf.c. (CVE-2022-35206)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3825-1 advisory.

    Update to version 2.41 [jsc#PED-5778]:

    * The MIPS port now supports the Sony Interactive Entertainment Allegrex       processor, used with the PlayStation Portable, which implements the MIPS       II ISA along with a single-precision FPU and a few implementation-specific       integer instructions.
    * Objdump's --private option can now be used on PE format files to display the       fields in the file header and section headers.
    * New versioned release of libsframe: libsframe.so.1.  This release introduces       versioned symbols with version node name LIBSFRAME_1.0.  This release also       updates the ABI in an incompatible way: this includes removal of       sframe_get_funcdesc_with_addr API, change in the behavior of       sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
    * SFrame Version 2 is now the default (and only) format version supported by       gas, ld, readelf and objdump.
    * Add command-line option, --strip-section-headers, to objcopy and strip to       remove ELF section header from ELF file.
    * The RISC-V port now supports the following new standard extensions:

      - Zicond (conditional zero instructions)
      - Zfa (additional floating-point instructions)
      - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,         Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)

    * The RISC-V port now supports the following vendor-defined extensions:
      - XVentanaCondOps
    * Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
    * A new .insn directive is recognized by x86 gas.
    * Add SME2 support to the AArch64 port.
    * The linker now accepts a command line option of --remap-inputs       <PATTERN>=<FILE> to relace any input file that matches <PATTERN> with       <FILE>.  In addition the option --remap-inputs-file=<FILE> can be used to       specify a file containing any number of these remapping directives.
    * The linker command line option --print-map-locals can be used to include       local symbols in a linker map.  (ELF targets only).
    * For most ELF based targets, if the --enable-linker-version option is used       then the version of the linker will be inserted as a string into the .comment       section.
    * The linker script syntax has a new command for output sections: ASCIZ 'string'       This will insert a zero-terminated string at the current location.
    * Add command-line option, -z nosectionheader, to omit ELF section       header.

    - Contains fixes for these non-CVEs (not security bugs per upstreams       SECURITY.md):
      * bsc#1209642 aka CVE-2023-1579 aka PR29988
      * bsc#1210297 aka CVE-2023-1972 aka PR30285
      * bsc#1210733 aka CVE-2023-2222 aka PR29936
      * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
      * bsc#1214565 aka CVE-2020-19726 aka PR26240
      * bsc#1214567 aka CVE-2022-35206 aka PR29290
      * bsc#1214579 aka CVE-2022-35205 aka PR29289
      * bsc#1214580 aka CVE-2022-44840 aka PR29732
      * bsc#1214604 aka CVE-2022-45703 aka PR29799
      * bsc#1214611 aka CVE-2022-48065 aka PR29925
      * bsc#1214619 aka CVE-2022-48064 aka PR29922
      * bsc#1214620 aka CVE-2022-48063 aka PR29924
      * bsc#1214623 aka CVE-2022-47696 aka PR29677
      * bsc#1214624 aka CVE-2022-47695 aka PR29846
      * bsc#1214625 aka CVE-2022-47673 aka PR29876

    - This only existed only for a very short while in SLE-15, as the main       variant in devel:gcc subsumed this in binutils-revert-rela.diff.
      Hence:

    - Document fixed CVEs:

      * bsc#1208037 aka CVE-2023-25588 aka PR29677
      * bsc#1208038 aka CVE-2023-25587 aka PR29846
      * bsc#1208040 aka CVE-2023-25585 aka PR29892
      * bsc#1208409 aka CVE-2023-0687 aka PR29444

    - Enable bpf-none cross target and add bpf-none to the multitarget       set of supported targets.
    - Disable packed-relative-relocs for old codestreams.  They generate       buggy relocations when binutils-revert-rela.diff is active.
      [bsc#1206556]
    - Disable ZSTD debug section compress by default.
    - Enable zstd compression algorithm (instead of zlib)       for debug info sections by default.
    - Pack libgprofng only for supported platforms.
    - Move libgprofng-related libraries to the proper locations (packages).
    - Add --without=bootstrap for skipping of bootstrap (faster testing       of the package).

    - Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]

    Update to version 2.40:

    * Objdump has a new command line option --show-all-symbols which will make it       display all symbols that match a given address when disassembling.  (Normally       only the first symbol that matches an address is shown).
    * Add --enable-colored-disassembly configure time option to enable colored       disassembly output by default, if the output device is a terminal.  Note,       this configure option is disabled by default.
    * DCO signed contributions are now accepted.
    * objcopy --decompress-debug-sections now supports zstd compressed debug       sections.  The new option --compress-debug-sections=zstd compresses debug       sections with zstd.
    * addr2line and objdump --dwarf now support zstd compressed debug sections.
    * The dlltool program now accepts --deterministic-libraries and
      --non-deterministic-libraries as command line options to control whether or       not it generates deterministic output libraries.  If neither of these options       are used the default is whatever was set when the binutils were configured.
    * readelf and objdump now have a newly added option --sframe which dumps the       SFrame section.
    * Add support for Intel RAO-INT instructions.
    * Add support for Intel AVX-NE-CONVERT instructions.
    * Add support for Intel MSRLIST instructions.
    * Add support for Intel WRMSRNS instructions.
    * Add support for Intel CMPccXADD instructions.
    * Add support for Intel AVX-VNNI-INT8 instructions.
    * Add support for Intel AVX-IFMA instructions.
    * Add support for Intel PREFETCHI instructions.
    * Add support for Intel AMX-FP16 instructions.
    * gas now supports --compress-debug-sections=zstd to compress       debug sections with zstd.
    * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}       that selects the default compression algorithm       for --enable-compressed-debug-sections.
    * Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,       XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,       XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head       ISA manual, which are implemented in the Allwinner D1.
    * Add support for the RISC-V Zawrs extension, version 1.0-rc4.
    * Add support for Cortex-X1C for Arm.
    * New command line option --gsframe to generate SFrame unwind information       on x86_64 and aarch64 targets.
    * The linker has a new command line option to suppress the generation of any       warning or error messages.  This can be useful when there is a need to create       a known non-working binary.  The option is -w or --no-warnings.
    * ld now supports zstd compressed debug sections.  The new option
      --compress-debug-sections=zstd compresses debug sections with zstd.
    * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}       that selects the default compression algorithm       for --enable-compressed-debug-sections.
    * Remove support for -z bndplt (MPX prefix instructions).

    - Includes fixes for these CVEs:

      * bsc#1206080 aka CVE-2022-4285 aka PR29699

    - Enable by default: --enable-colored-disassembly.
    - fix build on x86_64_vX platforms

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3695-1 advisory.

    Update to version 2.41 [jsc#PED-5778]:

    * The MIPS port now supports the Sony Interactive Entertainment Allegrex       processor, used with the PlayStation Portable, which implements the MIPS       II ISA along with a single-precision FPU and a few implementation-specific       integer instructions.
    * Objdump's --private option can now be used on PE format files to display the       fields in the file header and section headers.
    * New versioned release of libsframe: libsframe.so.1.  This release introduces       versioned symbols with version node name LIBSFRAME_1.0.  This release also       updates the ABI in an incompatible way: this includes removal of       sframe_get_funcdesc_with_addr API, change in the behavior of       sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
    * SFrame Version 2 is now the default (and only) format version supported by       gas, ld, readelf and objdump.
    * Add command-line option, --strip-section-headers, to objcopy and strip to       remove ELF section header from ELF file.
    * The RISC-V port now supports the following new standard extensions:

      - Zicond (conditional zero instructions)
      - Zfa (additional floating-point instructions)
      - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,         Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)

    * The RISC-V port now supports the following vendor-defined extensions:

      - XVentanaCondOps

    * Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
    * A new .insn directive is recognized by x86 gas.
    * Add SME2 support to the AArch64 port.
    * The linker now accepts a command line option of --remap-inputs       <PATTERN>=<FILE> to relace any input file that matches <PATTERN> with       <FILE>.  In addition the option --remap-inputs-file=<FILE> can be used to       specify a file containing any number of these remapping directives.
    * The linker command line option --print-map-locals can be used to include       local symbols in a linker map.  (ELF targets only).
    * For most ELF based targets, if the --enable-linker-version option is used       then the version of the linker will be inserted as a string into the .comment       section.
    * The linker script syntax has a new command for output sections: ASCIZ 'string'       This will insert a zero-terminated string at the current location.
    * Add command-line option, -z nosectionheader, to omit ELF section       header.

    - Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md):

      * bsc#1209642 aka CVE-2023-1579 aka PR29988
      * bsc#1210297 aka CVE-2023-1972 aka PR30285
      * bsc#1210733 aka CVE-2023-2222 aka PR29936
      * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
      * bsc#1214565 aka CVE-2020-19726 aka PR26240
      * bsc#1214567 aka CVE-2022-35206 aka PR29290
      * bsc#1214579 aka CVE-2022-35205 aka PR29289
      * bsc#1214580 aka CVE-2022-44840 aka PR29732
      * bsc#1214604 aka CVE-2022-45703 aka PR29799
      * bsc#1214611 aka CVE-2022-48065 aka PR29925
      * bsc#1214619 aka CVE-2022-48064 aka PR29922
      * bsc#1214620 aka CVE-2022-48063 aka PR29924
      * bsc#1214623 aka CVE-2022-47696 aka PR29677
      * bsc#1214624 aka CVE-2022-47695 aka PR29846
      * bsc#1214625 aka CVE-2022-47673 aka PR29876

    - Fixed a compatibility problem caused by binutils-revert-rela.diff in       SLE codestreams. Needed for update of glibc as that would otherwise pick up       the broken relative relocs support.  [bsc#1213282, jsc#PED-1435]

    - Document fixed CVEs:

      * bsc#1208037 aka CVE-2023-25588 aka PR29677
      * bsc#1208038 aka CVE-2023-25587 aka PR29846
      * bsc#1208040 aka CVE-2023-25585 aka PR29892
      * bsc#1208409 aka CVE-2023-0687 aka PR29444

    - Enable bpf-none cross target and add bpf-none to the multitarget       set of supported targets.
    - Disable packed-relative-relocs for old codestreams.  They generate       buggy relocations when binutils-revert-rela.diff is active.
      [bsc#1206556]
    - Disable ZSTD debug section compress by default.
    - Enable zstd compression algorithm (instead of zlib)       for debug info sections by default.
    - Pack libgprofng only for supported platforms.
    - Move libgprofng-related libraries to the proper locations (packages).
    - Add --without=bootstrap for skipping of bootstrap (faster testing       of the package).

    Update to version 2.40:

    * Objdump has a new command line option --show-all-symbols which will make it       display all symbols that match a given address when disassembling.  (Normally       only the first symbol that matches an address is shown).
    * Add --enable-colored-disassembly configure time option to enable colored       disassembly output by default, if the output device is a terminal.  Note,       this configure option is disabled by default.
    * DCO signed contributions are now accepted.
    * objcopy --decompress-debug-sections now supports zstd compressed debug       sections.  The new option --compress-debug-sections=zstd compresses debug       sections with zstd.
    * addr2line and objdump --dwarf now support zstd compressed debug sections.
    * The dlltool program now accepts --deterministic-libraries and
      --non-deterministic-libraries as command line options to control whether or       not it generates deterministic output libraries.  If neither of these options       are used the default is whatever was set when the binutils were configured.
    * readelf and objdump now have a newly added option --sframe which dumps the       SFrame section.
    * Add support for Intel RAO-INT instructions.
    * Add support for Intel AVX-NE-CONVERT instructions.
    * Add support for Intel MSRLIST instructions.
    * Add support for Intel WRMSRNS instructions.
    * Add support for Intel CMPccXADD instructions.
    * Add support for Intel AVX-VNNI-INT8 instructions.
    * Add support for Intel AVX-IFMA instructions.
    * Add support for Intel PREFETCHI instructions.
    * Add support for Intel AMX-FP16 instructions.
    * gas now supports --compress-debug-sections=zstd to compress       debug sections with zstd.
    * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}       that selects the default compression algorithm       for --enable-compressed-debug-sections.
    * Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,       XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,       XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head       ISA manual, which are implemented in the Allwinner D1.
    * Add support for the RISC-V Zawrs extension, version 1.0-rc4.
    * Add support for Cortex-X1C for Arm.
    * New command line option --gsframe to generate SFrame unwind information       on x86_64 and aarch64 targets.
    * The linker has a new command line option to suppress the generation of any       warning or error messages.  This can be useful when there is a need to create       a known non-working binary.  The option is -w or --no-warnings.
    * ld now supports zstd compressed debug sections.  The new option
      --compress-debug-sections=zstd compresses debug sections with zstd.
    * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}       that selects the default compression algorithm       for --enable-compressed-debug-sections.
    * Remove support for -z bndplt (MPX prefix instructions).

    - Includes fixes for these CVEs:

      * bsc#1206080 aka CVE-2022-4285 aka PR29699

    - Enable by default: --enable-colored-disassembly.
    - fix build on x86_64_vX platforms
    - add arm32 avoid copyreloc patch for PR16177 (bsc#1200962)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
224840	Linux Distros Unpatched Vulnerability : CVE-2022-35206	Nessus	Misc.	medium
182107	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : binutils (SUSE-SU-2023:3825-1)	Nessus	SuSE Local Security Checks	critical
181753	SUSE SLES12 Security Update : binutils (SUSE-SU-2023:3695-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2022-35206

medium

Tenable Plugins

medium

critical

critical