elfutils: CVE-2019-7665

Debian Bug report logs - #921880
elfutils: CVE-2019-7665

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: elfutils: CVE-2019-7665

Date: Sat, 09 Feb 2019 21:24:10 +0100

Source: elfutils
Version: 0.175-2
Severity: normal
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=24089

Hi,

The following vulnerability was published for elfutils.

CVE-2019-7665[0]:
| In elfutils 0.175, a heap-based buffer over-read was discovered in the
| function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF
| input can cause a segmentation fault leading to denial of service
| (program crash) because ebl_core_note does not reject malformed core
| file notes.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-7665
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=24089

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 921880-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 921880-close@bugs.debian.org

Subject: Bug#921880: fixed in elfutils 0.176-1

Date: Sat, 16 Feb 2019 14:47:53 +0000

Source: elfutils
Source-Version: 0.176-1

We believe that the bug you reported is fixed in the latest version of
elfutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 921880@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated elfutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Feb 2019 14:54:50 +0100
Source: elfutils
Binary: elfutils libelf1 libelf-dev libdw-dev libdw1 libasm1 libasm-dev
Architecture: source
Version: 0.176-1
Distribution: unstable
Urgency: medium
Maintainer: Kurt Roeckx <kurt@roeckx.be>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
 elfutils   - collection of utilities to handle ELF objects
 libasm-dev - libasm development libraries and header files
 libasm1    - library with a programmable assembler interface
 libdw-dev  - libdw1 development libraries and header files
 libdw1     - library that provides access to the DWARF debug information
 libelf-dev - libelf1 development libraries and header files
 libelf1    - library to read and write ELF files
Closes: 920909 920910 920911 921880 921881
Changes:
 elfutils (0.176-1) unstable; urgency=medium
 .
   * New upstream release
     - Fixes CVE-2019-7150 (Closes: #920909)
     - Fixes CVE-2019-7149 (Closes: #920910)
     - Fixes CVE-2019-7146 (Closes: #920911)
     - Fixes CVE-2019-7665 (Closes: #921880)
     - Fixes CVE-2019-7664 (Closes: #921881)
     - Fixes CVE-2019-7148
     - Drop 0001-tests-Call-test_cleanup-in-backtrace-subr.sh-check_u.patch,
       applied upstream.
   * Update upstream PGP key to new one
Checksums-Sha1:
 8347e18edde0262f8e14c1c4a41566005f1a4e02 2568 elfutils_0.176-1.dsc
 6511203cae7225ae780501834a7ccd234b14889a 8646075 elfutils_0.176.orig.tar.bz2
 6012c37ad5eeb16add7e5e1f0929c383ce0e00d4 455 elfutils_0.176.orig.tar.bz2.asc
 e90a5ed9fc1ba2e193c5316e487909c2ad29212b 31492 elfutils_0.176-1.debian.tar.xz
 a79a742dcc611e54c9a77a12a2f9f7e9d1e65d40 8044 elfutils_0.176-1_source.buildinfo
Checksums-Sha256:
 04188a6d3e83332d462a6b8f5add8fc5f37e4f95cf5d602ad74b574b6f61fc4f 2568 elfutils_0.176-1.dsc
 eb5747c371b0af0f71e86215a5ebb88728533c3a104a43d4231963f308cd1023 8646075 elfutils_0.176.orig.tar.bz2
 51474b579b25fc799de0777e241c83605427d2903f8d28524ef6af42f75931fd 455 elfutils_0.176.orig.tar.bz2.asc
 f19d4982d9c98be2effac6846db55b67d99f152d52babb83592355e497f7dc71 31492 elfutils_0.176-1.debian.tar.xz
 095be69b4b1f2594bde92deb58f627bf55a95c62fc5f76a49fc26d5fa87093ac 8044 elfutils_0.176-1_source.buildinfo
Files:
 c9f86b92d2d6908fa135c359977d9763 2568 libs optional elfutils_0.176-1.dsc
 077e4f49320cad82bf17a997068b1db9 8646075 libs optional elfutils_0.176.orig.tar.bz2
 5296badecd902a6bf8fc7eb778cea932 455 libs optional elfutils_0.176.orig.tar.bz2.asc
 abe54f8d3ecf21759cc0348c8fdfbbde 31492 libs optional elfutils_0.176-1.debian.tar.xz
 6c5ddab71027c325f13b7bc2b4d452ae 8044 libs optional elfutils_0.176-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUWHm1ANgDdycoJP748TdzR5MEkQFAlxoGGEACgkQ48TdzR5M
EkTF/A//cOTqZVEHRLfdv8eQVYIGbPoEWaMxCLIIvzSvGk7JT7ZhdFRXsuGuu4gM
+lo/5LtgU6MkulhjewJmdRuWWPuqo5KonZZxVoaQ+tm4a37v0KDtV0KM8WPr/Vct
ZcQ4uuSvDf+ONijkJbnApBNRE8mcAJy2pvDt8mM4Nl+1aEcnpENu3U8qBWjCNk07
IYaDfH6y97kF/zhwweYAitJcXlQTkpGW9eiV8xTx3dnmKwtQdGbj+DijCFY3dIES
Q61wtJLSd7SsbfYbVbaPgx6JCbgZTpBCX7oG/nzyNdWfkSjjfP02IYYC9bXfCAB4
QoF841C5KDluTvP2ashHnlHGp66KkJ0kuGw2LNwRUj609S8FUU+7FsGqm3b3ASeu
9pAkU7Za5aIMQNAALDultvkwt32ymf7oXgVgZK7veY9s54Bih8hIoiph8yfTaDDA
JWWIeVXxN4eGcslmmSnO2d8CsS5IwTRLyr6oU+C28RlIJnBxFVelBymUjvbjQalr
yafmYdSxxJQ4PACf3s2tbgTFC8hG8qxNJpHTYx8z2rpOAlcdAlX3yf9E7901snj9
lIfI0oes91CrMOyX9ODhvxHH22btb9DPG+FhrHly/JkOTxzo+4ARrSwHPN/IoYbq
AX9xSXXifhFuWg7hmJfljw5Rh4s1hqU3bEcOWAu5yNIkHGvNoO4=
=wNMi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.