Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91817 - dev-libs/elfutils: heap overflow
Summary: dev-libs/elfutils: heap overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
Depends on: 91398
  Show dependency tree
Reported: 2005-05-07 10:34 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-07-02 14:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

heap overflow patch (elfutils-heap-overflow-sections.diff,574 bytes, patch)
2005-05-07 10:50 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
elfutils-0.108-robustify.patch (elfutils-0.108-robustify.patch,35.62 KB, patch)
2005-05-17 04:23 UTC, solar (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-05-07 10:34:56 UTC
see bug 91398 for details and testcase, elfutils is vulnerable to the same heap overflow.

the same fix used in bfd can be tweaked and applied, looks like the allocation happens around line 228 of elf_begin.c

  /* Determine the number of sections.  */
  /* We can now allocate the memory.  */
  elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
              ELF_K_ELF, scncnt * sizeof (Elf_Scn));
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-07 10:36:22 UTC
applying the same sanity test to the "scncnt * sizeof (Elf_Scn)" calculation should fix it.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-07 10:50:20 UTC
Created attachment 58287 [details, diff]
heap overflow patch

eu-readelf -a fails the testcase gracefully with this patch.
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-12 13:36:52 UTC
elfutils-0.94-r2 contains the patch.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 01:37:19 UTC
Arches, please test and mark stable 0.94-r2 or 0.97-r1, at your choice.
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-13 05:03:33 UTC
Stable on ppc.
Comment 6 Jan Brinkmann (RETIRED) gentoo-dev 2005-05-13 05:12:19 UTC
0.94-r2 stable on amd64
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-13 06:25:25 UTC
0.94-r2 sparc stable.
Comment 8 René Nussbaumer (RETIRED) gentoo-dev 2005-05-13 08:17:42 UTC
Stable on hppa
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2005-05-14 10:52:04 UTC
x86 stable. I went with 0.94-r2 too out of sheer conservatism
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-05-15 05:23:59 UTC
stable on ppc64
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-15 07:16:22 UTC
Stable on alpha + ia64.
Comment 12 solar (RETIRED) gentoo-dev 2005-05-17 04:23:18 UTC
Created attachment 59110 [details, diff]

Jakub Jelinek (upstream) provides the following patch to address this and other
problems. I think it obsoletes the previous patch but I'm not sure yet.
Comment 13 solar (RETIRED) gentoo-dev 2005-05-17 09:16:59 UTC
0.108 is in the tree.
Comment 14 solar (RETIRED) gentoo-dev 2005-05-17 10:42:32 UTC
added additional 0.108 incremental patch from Jakub which solves remaining 
regression failure with elfutils that we found.
This version or a 0.109 is what arches will want to mark stable in general if you 
want to use upstream fixes.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-19 07:57:49 UTC
Arches please test and mark 0.108 stable. 
Comment 16 Yuta SATOH (RETIRED) gentoo-dev 2005-05-19 10:48:18 UTC
Stable on ppc64
Comment 17 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-19 10:48:41 UTC
Stable on ppc.
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2005-05-19 10:55:43 UTC
Stable on hppa
Comment 19 Jan Brinkmann (RETIRED) gentoo-dev 2005-05-19 10:58:06 UTC
stable on amd64
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-19 11:07:48 UTC
sparc stable.
Comment 21 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-20 11:49:54 UTC
Stable on alpha + ia64.
Comment 22 Olivier Crete (RETIRED) gentoo-dev 2005-05-22 14:25:15 UTC
sorry for the delay.. stable on x86.. we really need more people on x86@
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 03:17:44 UTC
Waiting for binutils to be ready
Comment 24 solar (RETIRED) gentoo-dev 2005-06-01 05:48:22 UTC
Removed the old vuln ebuilds for the sake the the GLSA itself. 
All arches minus mips are currently marked stable. 
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-01 08:31:54 UTC
GLSA 200506-01 
mips please remember to mark stable. 
Comment 26 Hardave Riar (RETIRED) gentoo-dev 2005-07-02 14:48:13 UTC
Stable on mips.