676794 – (CVE-2019-7150) <dev-libs/elfutils-0.173-r1: dwfl_segment_report_module doesn't check whether the dyn data read from core

Bug 676794 (CVE-2019-7150) - <dev-libs/elfutils-0.173-r1: dwfl_segment_report_module doesn't check whether the dyn data read from core

Summary: <dev-libs/elfutils-0.173-r1: dwfl_segment_report_module doesn't check whether...

Status:	RESOLVED FIXED

Alias:	CVE-2019-7150

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://sourceware.org/bugzilla/show_...
Whiteboard:	A4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-01-29 14:23 UTC by Dimitris Nakos (sokan)
Modified:	2019-10-13 11:24 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=dev-libs/elfutils-0.173-r1
Runtime testing required:	No

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dimitris Nakos (sokan) 2019-01-29 14:23:19 UTC

An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.

Fixed with patch:
https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html

--Gentoo security padawan--

Comment 1 Larry the Git Cow gentoo-dev

2019-01-29 21:56:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d21856c6b7ba9348121de36979d22d94fb0bfc16

commit d21856c6b7ba9348121de36979d22d94fb0bfc16
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2019-01-29 21:55:33 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2019-01-29 21:56:18 +0000

    dev-libs/elfutils: fix parsing of partial core, bug #676794
    
    Reported-by: Demetris Nakos
    Bug: https://bugs.gentoo.org/676794
    Bug: https://sourceware.org/PR24103
    Package-Manager: Portage-2.3.59, Repoman-2.3.12
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-libs/elfutils/elfutils-0.173-r1.ebuild         | 69 ++++++++++++++++++++++
 ...utils-0.175.ebuild => elfutils-0.175-r1.ebuild} |  7 ++-
 .../files/elfutils-0.173-partial-core.patch        | 34 +++++++++++
 3 files changed, 108 insertions(+), 2 deletions(-)

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-04-04 22:41:51 UTC

@arches, please stabilize

Comment 3 Agostino Sarubbo gentoo-dev

2019-04-05 20:47:42 UTC

amd64 stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-05 23:06:54 UTC

(In reply to Aaron Bauman from comment #2)
> @arches, please stabilize

Did you get an ACK from the maintainer to start stabilization? >=dev-libs/elfutils-0.175 requires binutils-2.32 to work correctly: bug #671760

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2019-04-06 04:03:11 UTC

(In reply to Sergei Trofimovich from comment #4)
> (In reply to Aaron Bauman from comment #2)
> > @arches, please stabilize
> 
> Did you get an ACK from the maintainer to start stabilization?
> >=dev-libs/elfutils-0.175 requires binutils-2.32 to work correctly: bug
> #671760

Are you intentionally referencing a bug closed over a month ago?

Comment 6 Matt Turner gentoo-dev

2019-04-06 07:08:39 UTC

(In reply to Aaron Bauman from comment #5)
> (In reply to Sergei Trofimovich from comment #4)
> > (In reply to Aaron Bauman from comment #2)
> > > @arches, please stabilize
> > 
> > Did you get an ACK from the maintainer to start stabilization?
> > >=dev-libs/elfutils-0.175 requires binutils-2.32 to work correctly: bug
> > #671760
> 
> Are you intentionally referencing a bug closed over a month ago?

Read the bug a little better. It was resolved by unmasking elfutils since the appropriate binutils version was now ~arch. That doesn't mean we can stabilize that version yet.

If stable elfutils is broken with stable binutils, that's a problem. As far as I can tell, that's the current situation.

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-06 09:55:53 UTC

(In reply to Aaron Bauman from comment #5)
> (In reply to Sergei Trofimovich from comment #4)
> > (In reply to Aaron Bauman from comment #2)
> > > @arches, please stabilize
> > 
> > Did you get an ACK from the maintainer to start stabilization?
> > >=dev-libs/elfutils-0.175 requires binutils-2.32 to work correctly: bug
> > #671760
> 
> Are you intentionally referencing a bug closed over a month ago?

The bug is relevant.

Can I get an answer to my question please? I'll state it again:

Did you get an ACK from the maintainer to start stabilization?

Comment 8 Larry the Git Cow gentoo-dev

2019-04-06 15:25:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ef6ada6d119ed6afccc9d6fb2006bc3e2814b40

commit 7ef6ada6d119ed6afccc9d6fb2006bc3e2814b40
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-04-06 15:23:54 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-04-06 15:24:59 +0000

    dev-libs/elfutils: Undo stabilization of 0.176
    
    Stabilization was initiated without acknowledgment by toolchain
    
    The result of the stabilization is a configuration in stable that is
    unable to build the kernel, see bug 671760.
    
    Bug: https://bugs.gentoo.org/676794
    Bug: https://bugs.gentoo.org/671760
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 dev-libs/elfutils/elfutils-0.176.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 9 Markus Meier gentoo-dev

2019-04-08 18:26:53 UTC

arm stable, all arches done.

Comment 10 Larry the Git Cow gentoo-dev

2019-04-09 06:59:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b740d8df7d2c6bf9b80ed91eb930434428761176

commit b740d8df7d2c6bf9b80ed91eb930434428761176
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2019-04-09 06:58:03 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2019-04-09 06:59:30 +0000

    dev-libs/elfutils: revert "arm stable, bug #676794"
    
    This reverts commit 24fbdabc1ca529b754949c782c791f40896f475e.
    
    Bug: https://bugs.gentoo.org/676794
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-libs/elfutils/elfutils-0.176.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 11 Andreas K. Hüttel archtester

2019-04-09 22:22:48 UTC

Arches please stabilize:

dev-libs/elfutils-0.173-r1

(NOTE: 173-r1, NOT 176-r1 !)

Special test instructions: Build a kernel. 
(cf. bug 671760 for background)

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2019-04-10 04:24:36 UTC

amd64 stable

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-10 17:05:34 UTC

x86 stable

Comment 14 Rolf Eike Beer archtester

2019-04-11 19:41:38 UTC

sparc stable

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2019-04-17 01:37:30 UTC

arm64 stable

Comment 16 Mikle Kolyada (RETIRED) archtester

2019-04-20 18:40:48 UTC

arm stable

Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-27 16:36:53 UTC

ppc64 stable

Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-27 16:52:56 UTC

ppc stable

Comment 19 Mikle Kolyada (RETIRED) archtester

2019-04-28 20:24:09 UTC

s390 stable

Comment 20 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-29 08:55:28 UTC

ia64 stable

Comment 21 Matt Turner gentoo-dev

2019-05-02 04:30:19 UTC

hppa stable by jer

Comment 22 Mikle Kolyada (RETIRED) archtester

2019-05-02 21:06:17 UTC

alpha stable