[Bug binutils/32030] Algorithmic complexity vulnerability (CWE-407) in B

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/32030] Algorithmic complexity vulnerability (CWE-407) in B

From:	nhweideman at gmail dot com
Subject:	[Bug binutils/32030] Algorithmic complexity vulnerability (CWE-407) in BFD
Date:	Sat, 03 Aug 2024 16:02:26 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=32030

--- Comment #2 from Nicolaas Weideman <nhweideman at gmail dot com> ---
I agree that DoS is probably not the main concern here because, as you
mentioned, services analyzing untrusted code should have reasonable timeouts to
prevent DoS.

That being said, "timeout" is clearly an undesirable outcome when attempting to
analyze a potentially malicious executable. I believe this performance issue
should be considered a vulnerability, because a malicious executable can
exploit the undesirable behavior of BFD in order to force a timeout and thereby
evade analysis.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/32030] Algorithmic complexity vulnerability (CWE-407) in BFD, siddhesh at sourceware dot org, 2024/08/02
- [Bug binutils/32030] Algorithmic complexity vulnerability (CWE-407) in BFD, nhweideman at gmail dot com <=

Prev by Date: [Bug ld/31544] Incorrect default subsystem version for POSIX PE binaries
Next by Date: [Bug binutils/32049] New: objdump --disassemble=functionName --reloc includes relocations from previous function
Previous by thread: [Bug binutils/32030] Algorithmic complexity vulnerability (CWE-407) in BFD
Next by thread: [Bug binutils/32048] New: SEGFAULT on arm32 with abnormal page size
Index(es):
- Date
- Thread