see bug 91398 for details and testcase, elfutils is vulnerable to the same heap overflow. the same fix used in bfd can be tweaked and applied, looks like the allocation happens around line 228 of elf_begin.c /* Determine the number of sections. */ ... /* We can now allocate the memory. */ elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent, ELF_K_ELF, scncnt * sizeof (Elf_Scn));
applying the same sanity test to the "scncnt * sizeof (Elf_Scn)" calculation should fix it.
Created attachment 58287 [details, diff] heap overflow patch eu-readelf -a fails the testcase gracefully with this patch.
elfutils-0.94-r2 contains the patch.
Arches, please test and mark stable 0.94-r2 or 0.97-r1, at your choice.
Stable on ppc.
0.94-r2 stable on amd64
0.94-r2 sparc stable.
Stable on hppa
x86 stable. I went with 0.94-r2 too out of sheer conservatism
stable on ppc64
Stable on alpha + ia64.
Created attachment 59110 [details, diff] elfutils-0.108-robustify.patch Jakub Jelinek (upstream) provides the following patch to address this and other problems. I think it obsoletes the previous patch but I'm not sure yet.
0.108 is in the tree.
added additional 0.108 incremental patch from Jakub which solves remaining regression failure with elfutils that we found. This version or a 0.109 is what arches will want to mark stable in general if you want to use upstream fixes.
Arches please test and mark 0.108 stable.
Stable on ppc64
stable on amd64
sparc stable.
sorry for the delay.. stable on x86.. we really need more people on x86@
Waiting for binutils to be ready
Removed the old vuln ebuilds for the sake the the GLSA itself. All arches minus mips are currently marked stable.
GLSA 200506-01 mips please remember to mark stable.
Stable on mips.