elfutils: CVE-2018-18521

Debian Bug report logs - #911413
elfutils: CVE-2018-18521

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: elfutils: CVE-2018-18521

Date: Fri, 19 Oct 2018 23:49:42 +0200

Source: elfutils
Version: 0.170-0.5
Severity: important
Tags: patch security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=23786

Hi,

The following vulnerability was published for elfutils.

CVE-2018-18521[0]:
| Divide-by-zero vulnerabilities in the function arlib_add_symbols() in
| arlib.c in elfutils 0.174 allow remote attackers to cause a denial of
| service (application crash) with a crafted ELF file, as demonstrated by
| eu-ranlib, because a zero sh_entsize is mishandled.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18521
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=23786
[2] https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 911413-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 911413-close@bugs.debian.org

Subject: Bug#911413: fixed in elfutils 0.175-1

Date: Mon, 19 Nov 2018 21:35:34 +0000

Source: elfutils
Source-Version: 0.175-1

We believe that the bug you reported is fixed in the latest version of
elfutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated elfutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Nov 2018 23:01:23 +0100
Source: elfutils
Binary: elfutils libelf1 libelf-dev libdw-dev libdw1 libasm1 libasm-dev
Architecture: source
Version: 0.175-1
Distribution: unstable
Urgency: medium
Maintainer: Kurt Roeckx <kurt@roeckx.be>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
 elfutils   - collection of utilities to handle ELF objects
 libasm-dev - libasm development libraries and header files
 libasm1    - library with a programmable assembler interface
 libdw-dev  - libdw1 development libraries and header files
 libdw1     - library that provides access to the DWARF debug information
 libelf-dev - libelf1 development libraries and header files
 libelf1    - library to read and write ELF files
Closes: 907562 911083 911276 911413 911414
Changes:
 elfutils (0.175-1) unstable; urgency=medium
 .
   * New upstream release
     - Build with gcc-8 (Closes: #911276)
     - Drop fix-gcc7-ftbfs.diff
     - Drop GNU_variable_value.patch
     - Drop locviews.patch
     - Update patches
   * Fixes CVE-2018-18521 (Closes: #911413)
   * Fixes CVE-2018-18520 (Closes: #911414)
   * Fixes CVE-2018-18310 (Closes: #911083)
   * Fixes CVE-2018-16403
   * Fixes CVE-2018-16402
   * Fixes CVE-2018-16062 (Closes: #907562)
Checksums-Sha1:
 a68e892c7347f0fe49158e9818e57607cb38c7c5 2568 elfutils_0.175-1.dsc
 361f835640ecffddc6d4543fb044eb53f673026f 8786600 elfutils_0.175.orig.tar.bz2
 a15f78114cad1c7dbe41b2c5710105563b83c481 488 elfutils_0.175.orig.tar.bz2.asc
 28eab328d1e8d8df41b13d9567c9d707dd5901d3 37404 elfutils_0.175-1.debian.tar.xz
 57e40bb1e428465522056af1907d7078559fc83e 8034 elfutils_0.175-1_source.buildinfo
Checksums-Sha256:
 32e42db07fa6c55697db27fb049b327b8bcee95e326c8b64498671dc9f3851ba 2568 elfutils_0.175-1.dsc
 f7ef925541ee32c6d15ae5cb27da5f119e01a5ccdbe9fe57bf836730d7b7a65b 8786600 elfutils_0.175.orig.tar.bz2
 103ae1a12d0b67e2d783f36dc780acd533d5c2a9d6241bcd62cfe1f6fa891a16 488 elfutils_0.175.orig.tar.bz2.asc
 0de2c3f311d388a1dada67e4e37a41bd18fcf715c2a7bcb869d75f0815c70f23 37404 elfutils_0.175-1.debian.tar.xz
 dd88885c7a1153ee0bc3ede69fe22d30b9b939142f25f27dda99792fa8e3cc61 8034 elfutils_0.175-1_source.buildinfo
Files:
 9b6749ac7b767a9df5861a5b13bacf6d 2568 libs optional elfutils_0.175-1.dsc
 9a02b0382b78cc2d515fb950275d4c02 8786600 libs optional elfutils_0.175.orig.tar.bz2
 54de34fe526466caf58f8dce879623b6 488 libs optional elfutils_0.175.orig.tar.bz2.asc
 c088129dfd51831d1ea2e664fac54eb8 37404 libs optional elfutils_0.175-1.debian.tar.xz
 d586e4cd298fec2e61a37ebf7bedfefd 8034 libs optional elfutils_0.175-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlvzKXgACgkQ48TdzR5M
EkQ0mhAAqvoR6fm5a4w67O57UO3j+PM2t+3Slt4qDsfmB2ochhuQ81J5MYO+7kO9
Jen2DB4LMYBW1z0pY7/xvS91EXfxkrJqjhhELFmds0+2g6uyJrvFJ3l+lmTRpvCW
ijRUa5/PssXT8gH4blEBDERPz8Sdr6A3cwzUD5vHTQxF9F12rnDa9ofFeuyaFUW+
rxnubsksysSY7rJ91GG1JLAB9/n/DI2PgQyNwVJ6fT87oJuS6pN70JV7RJOodvRq
fYggTl1RWiuD6wAPlXmspDox4esGw5aYdgvwRR2AEO2wODxCkoMAltlUU0fPW7X7
TWDK23zVci1wtj9blquX3DUPu+L/E6tHV7p8t/HG0xpqfysTXgORkqV511DOJM8D
y3gkAh+jK2P2C88lrgWoLvDOQyfo/V81zbge82/wQzA9LAEbYojlDv7Jqx6YPqzz
nGac1sPvrR7tYrMDXH1CFBgtkpj+8SaHc39FAmP+wi8bg20wxjjRv5Tul9ffe34V
vVvoNjr+dJ5tpC1KPBH3kfDNU+gLocNK5rw00Hifm9ub3EKPT6pYZUSUpRRfDw3C
0ZuIuVAh+OhIhuvHOs/roWco0i8+Db3Sj/VnFbLvZeSgHerOqqvE08KNY1T0OD1k
uB88KJg7VFigV65sKwbGSQ78CCFhtlX++wg+G96+GXA6cGxe8+U=
=Dwb4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.