Commit 468dce63 authored by Thorsten Alteholz's avatar Thorsten Alteholz

DLA-1689-1 advisory

parent 3cd76372
<define-tag pagetitle>DLA-1689-1 elfutils</define-tag>
<define-tag report_date>2019-2-25</define-tag>
<define-tag secrefs>CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-16062 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7149 CVE-2019-7150 CVE-2019-7665</define-tag>
<define-tag packages>elfutils</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
<define-tag fixed-section>no</define-tag>
#use wml::debian::security
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p></pre><tt>Several issues in elfutils, a collection of utilities to handle ELF
</tt><tt>objects, have been found either by fuzzing or by using an
</tt><tt>AddressSanitizer.
</tt><pre style="margin: 0em;"></p>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-7665">CVE-2019-7665</a>
<p>Due to a heap-buffer-overflow problem in function elf32_xlatetom()
a crafted ELF input can cause segmentation faults.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-7150">CVE-2019-7150</a>
<p>Add sanity check for partial core file dynamic data read.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-7149">CVE-2019-7149</a>
<p>Due to a heap-buffer-overflow problem in function read_srclines()
a crafted ELF input can cause segmentation faults.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2018-18521">CVE-2018-18521</a>
<p>By using a crafted ELF file, containing a zero sh_entsize, a
divide-by-zero vulnerability could allow remote attackers to
cause a denial of service (application crash).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2018-18520">CVE-2018-18520</a>
<p>By fuzzing an Invalid Address Deference problem in function elf_end
has been found.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2018-18310">CVE-2018-18310</a>
<p>By fuzzing an Invalid Address Read problem in eu-stack has been
found.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2018-16062">CVE-2018-16062</a>
<p>By using an AddressSanitizer a heap-buffer-overflow has been found.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2017-7613">CVE-2017-7613</a>
<p>By using fuzzing it was found that an allocation failure was not
handled properly.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2017-7612">CVE-2017-7612</a>
<p>By using a crafted ELF file, containing an invalid sh_entsize, a
remote attackers could cause a denial of service (application crash).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2017-7611">CVE-2017-7611</a>
<p>By using a crafted ELF file a remote attackers could cause a denial
of service (application crash).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2017-7610">CVE-2017-7610</a>
<p>By using a crafted ELF file a remote attackers could cause a denial
of service (application crash).</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2017-7608">CVE-2017-7608</a>
<p>By fuzzing a heap based buffer overflow has been detected.</p>
<p>For Debian 8 &quot;Jessie&quot;, these problems have been fixed in version
0.159-4.2+deb8u1.</p>
<p>We recommend that you upgrade your elfutils packages.</p>
<p>Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <a rel="nofollow" href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p></li>
</ul>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2019/dla-1689.data"
# $Id: $
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment