elfutils: CVE-2017-7609

Debian Bug report logs - #859994
elfutils: CVE-2017-7609

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: elfutils: CVE-2017-7609

Date: Mon, 10 Apr 2017 06:55:36 +0200

Source: elfutils
Version: 0.168-0.2
Severity: normal
Tags: upstream security
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=21301

Hi,

the following vulnerability was published for elfutils.

CVE-2017-7609[0]:
| elf_compress.c in elfutils 0.168 does not validate the zlib compression
| factor, which allows remote attackers to cause a denial of service
| (memory consumption) via a crafted ELF file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7609
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=21301

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 859994-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 859994-close@bugs.debian.org

Subject: Bug#859994: fixed in elfutils 0.168-1

Date: Sat, 27 May 2017 13:34:09 +0000

Source: elfutils
Source-Version: 0.168-1

We believe that the bug you reported is fixed in the latest version of
elfutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859994@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated elfutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 15:05:37 +0200
Source: elfutils
Binary: elfutils libelf1 libelf-dev libdw-dev libdw1 libasm1 libasm-dev
Architecture: source
Version: 0.168-1
Distribution: unstable
Urgency: medium
Maintainer: Kurt Roeckx <kurt@roeckx.be>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
 elfutils   - collection of utilities to handle ELF objects
 libasm-dev - libasm development libraries and header files
 libasm1    - library with a programmable assembler interface
 libdw-dev  - libdw1 development libraries and header files
 libdw1     - library that provides access to the DWARF debug information
 libelf-dev - libelf1 development libraries and header files
 libelf1    - library to read and write ELF files
Closes: 859990 859991 859992 859993 859994 859995 859996
Changes:
 elfutils (0.168-1) unstable; urgency=medium
 .
   * Fix CVE-2017-7607 (Closes: #859996)
   * Fix CVE-2017-7608 (Closes: #859995)
   * Fix CVE-2017-7609 (Closes: #859994)
   * Fix CVE-2017-7610 (Closes: #859993)
   * Fix CVE-2017-7611 (Closes: #859992)
   * Fix CVE-2017-7612 (Closes: #859991)
   * Fix CVE-2017-7613 (Closes: #859990)
Checksums-Sha1:
 0867044ad2916bf3d5c2db274469562edc076de3 2549 elfutils_0.168-1.dsc
 53e486ddba572cf872d32e9aad4d7d7aa6e767ff 6840399 elfutils_0.168.orig.tar.bz2
 5326af61e2ecf811ef1ede808f9e788219295fc3 473 elfutils_0.168.orig.tar.bz2.asc
 098c14df4c0f3fbc918ac06ffb27b5c07baa6055 39964 elfutils_0.168-1.debian.tar.xz
 1c6bc5ab60ba56406ef1d3254129b6524bbb26b7 6099 elfutils_0.168-1_source.buildinfo
Checksums-Sha256:
 b29e03a3d515d9accd52019ff7c75762ae5e61285453518ff90d538e9878ad7f 2549 elfutils_0.168-1.dsc
 b88d07893ba1373c7dd69a7855974706d05377766568a7d9002706d5de72c276 6840399 elfutils_0.168.orig.tar.bz2
 f455fc014b59a0d80ab921935d20f26e64f411a424d4be29ec5bf3a1378f3002 473 elfutils_0.168.orig.tar.bz2.asc
 5517922b1025d32903759c46f9a1f656e3e367c5ea036dc54b32cbbe68a5f300 39964 elfutils_0.168-1.debian.tar.xz
 93412aa60a3ce37d2d2d2210895dc243c3fd7f5ab1b82ba2e06ff78e84874736 6099 elfutils_0.168-1_source.buildinfo
Files:
 0bff5a8b0f6ba938b660826f365ec8de 2549 libs optional elfutils_0.168-1.dsc
 52adfa40758d0d39e5d5c57689bf38d6 6840399 libs optional elfutils_0.168.orig.tar.bz2
 7305e2dd0db220864ad7aa674d47c0e2 473 libs optional elfutils_0.168.orig.tar.bz2.asc
 76f927edf68a4d0e784f3e34fc8b54f6 39964 libs optional elfutils_0.168-1.debian.tar.xz
 26b392c9c05cb3c3f220dbc928f45466 6099 libs optional elfutils_0.168-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlkpfqsACgkQ48TdzR5M
EkTbBA/8DV4POCFvCKMoTl5Xh4SZC2sHEvQhx/CPrRuljXz5TwAjqeJHTI1IVFqq
M6BnDRZmdMcSETKDchywRf148Va4acsqnBL1dYwgNM0jJD+stzWkpPjbax/0B134
ZVu2v8CShJGKlg134X8xN6ZONd/KO9eylHaYpbK3snyik9gMJVQ/QCNo1yM3hcwy
RfiIaY3P+drGGdnSaCiQTUZnxzy9AY1eOSduxMmyWfBdOsHju3krdsygmgYkqFC5
ENOqk08ObIMoalQtUufIm2ftPyhuC1GJnM92yApRv/giXsoqID+T6a4bC0ayXg9E
A0q/HEzvNnBKaW7WcwCbRNTMs76WTFPebvbH8AQOl24ybLNABgO6vgYA16lxU8dv
Ihfz9/ezeCHdn94pkOrXmqEY+CVjUonwBvStsBYEDBjSI7dSKCRP18XN3J5gd9PZ
ZRtYtjPDzE/DrYDIuK4n1m54vhq1ctqkdgCAfgSUVru9CCmYnMa5MwEjra+gefDo
/kzTWT9tTntk4uxNAw2YWVUVnrPu9TI/SOsEd1kUA3M0sZISdoZhA39m/LfSwqzb
Vr9Snar3/tzFsif2NLLHCrpk4EocppEa3u74dK0MMlWYaTPAS2FnereFsqPf7PBF
UyBZR+rOHDtR35KJ799iGHZccWQ8+dUwe4Jvwmti8g7Z3BM0oTA=
=TqKI
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.