This was privately disclosed to vapier which invited me to file a bug here. I found two invalid memory read in dumpelf. Both reproducible with "dumpelf $FILE" 1) SEGV on unknown address 0x7f8d94dc9e28 (pc 0x00000051efc6 bp 0x7ffe15ddbfa0 sp 0x7ffe15ddbf60 T0) ==31647==The signal is caused by a READ memory access. #0 0x00000000004067f7 in dump_dyn (dyn_void=dyn_void@entry=0x7ff5f7ff6e28, dyn_cnt=dyn_cnt@entry=0, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:486 #1 0x0000000000401e24 in dumpelf (file_cnt=0, filename=<optimized out>) at dumpelf.c:146 #2 parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557 #3 main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566 Reproducer: https://github.com/asarubbo/poc/blob/master/00140-pax-utils-dumpelf-invalidread-dump_dyn 2) SEGV on unknown address 0x6360e1292000 (pc 0x00000051fba9 bp 0x7ffeef817f20 sp 0x7ffeef817ec0 T0) ==8213==The signal is caused by a READ memory access. #0 dump_notes (B=B@entry=64, memory=memory@entry=0x63fff7ff5000, memory_end=0x6414f7ff5000, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:228 #1 0x0000000000405636 in dump_phdr (elf=elf@entry=0x60d8e0, phdr_void=phdr_void@entry=0x7ffff7ff50f0, phdr_cnt=phdr_cnt@entry=1) at dumpelf.c:324 #2 0x0000000000401dd9 in dumpelf (file_cnt=0, filename=<optimized out>) at dumpelf.c:91 #3 parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557 #4 main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566 Reproducer: https://github.com/asarubbo/poc/blob/master/00141-pax-utils-dumpelf-invalidread-dump_notes If you need something else feel free to ask.
should be fixed here: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=18ded0e30ee5a84260cceb80d818b9c21ade4c76 not planning on doing an update right away since dumpelf is a programming tool that no one really runs directly
to confirm it's not in the latest release git describe --tags 18ded0e30ee5a84260cceb80d818b9c21ade4c76 v1.2.2-2-g18ded0e
This is fixed in app-misc/pax-utils-1.2.3 and newer.
This one was assigned to security so re-opening.
@Maintainers please call for stabilization when ready. Thank you
@arches, please stabilize.
ia64 stable
ppc/ppc64 stable
amd64 stable
hppa stable
x86 stable
arm64 stable
Stable on alpha.
arm stable, all arches done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d7a5a014319335d947d6f162c4b91e1d00ba139 commit 7d7a5a014319335d947d6f162c4b91e1d00ba139 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-08 13:07:57 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-08 13:07:57 +0000 app-misc/pax-utils: drop vulnerable Bug: https://bugs.gentoo.org/607896 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-misc/pax-utils/Manifest | 2 - app-misc/pax-utils/pax-utils-1.1.7.ebuild | 56 ------------------------- app-misc/pax-utils/pax-utils-1.2.2-r2.ebuild | 62 ---------------------------- 3 files changed, 120 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b23a73f6a51d28568444f367daf1af963db31bf commit 1b23a73f6a51d28568444f367daf1af963db31bf Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-08 13:06:48 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-08 13:06:48 +0000 app-misc/pax-utils: stabilize ppc per Sergei's comment ppc/ppc64 is stable, but keyword was missed. Bug: https://bugs.gentoo.org/607896 Package-Manager: Portage-2.3.28, Repoman-2.3.9 app-misc/pax-utils/pax-utils-1.2.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
GLSA Vote: No