Advisories ยป MGASA-2019-0222

Updated elfutils packages fix security vulnerabilities

Publication date: 18 Aug 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-7607 , CVE-2017-7608 , CVE-2017-7609 , CVE-2017-7610 , CVE-2017-7611 , CVE-2017-7612 , CVE-2017-7613 , CVE-2018-16062 , CVE-2018-16402 , CVE-2018-16403 , CVE-2018-18310 , CVE-2018-18520 , CVE-2018-18521 , CVE-2019-7149 , CVE-2019-7150 , CVE-2019-7664 , CVE-2019-7665


It was discovered that elfutils incorrectly handled certain malformed
files. If a user or automated system were tricked into processing a
specially crafted file, elfutils could be made to crash or consume
resources, resulting in a denial of service (CVE-2017-7607, CVE-2017-7608,
CVE-2017-7609, CVE-2017-7610, CVE-2017-7611, CVE-2017-7612, CVE-2017-7613,
CVE-2018-16062, CVE-2018-16402, CVE-2018-16403, CVE-2018-18310,
CVE-2018-18520, CVE-2018-18521, CVE-2019-7149, CVE-2019-7150,

In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note
in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf
input causes a segmentation fault, leading to denial of service (program
crash) (CVE-2019-7664).