ArchLinux: 201612-4: libdwarf: multiple issues
Summary
- CVE-2016-5027 (denial of service)
A vulnerability was found in libdwarf. A malicious object with data
all-bits-on could bypass length checks which results in an out-of-bounds read.
- CVE-2016-5028 (denial of service)
A null pointer dereference vulnerability was found in libdwarf. It
exists due to a corrupted object file. Libdwarf was not dealing with
empty (bss-like) sections since it really did not expect to see such in
sections it reads.
- CVE-2016-5029 (denial of service)
A null pointer dereference vulnerability was found in libdwarf in
create_fullest_file_path() function. This is due to corrupted dwarf and
the fix detects this corruption and if that null string pointer happens
undetected a static string is substituted so readers can notice the
situation.
- CVE-2016-5030 (denial of service)
A null pointer dereference vulnerability was found in libdwarf in
_dwarf_calculate_info_section_end_ptr() function.
- CVE-2016-5031 (information disclosure)
An out-of-bounds read vulnerability was found in libdwarf in
print_frame_inst_bytes() function.
- CVE-2016-5032 (information disclosure)
An out-of-bounds read vulnerability was found in libdwarf in
dwarf_get_xu_hash_entry() function.
- CVE-2016-5033 (information disclosure)
An out-of-bounds read vulnerability was found in libdwarf in
print_exprloc_content.
- CVE-2016-5035 (information disclosure)
An out-of-bounds read vulnerability was found in
dwarf_line_table_reader.c.
- CVE-2016-5037 (denial of service)
A null pointer dereference vulnerability was found in
_dwarf_load_section.
- CVE-2016-5040 (denial of service)
A vulnerability was found in libdwarf. If the data read for a
compilation unit header contains a too large length value the library
will read outside of its bounds and crash the application.
- CVE-2016-5041 (denial of service)
A vulnerability was found in libdwarf. If no DW_AT_name is present in a
debugging information entry using DWARF5 macros a null dereference in
dwarf_macro5.c will crash the application.
- CVE-2016-5043 (information disclosure)
A vulnerability was found in libdwarf. A function dwarf_dealloc() did
not check the Dwarf_Ptr space argument before using it which leads to
an out-of-bounds read.
- CVE-2016-5044 (arbitrary code execution)
A vulnerability was found in libdwarf in dwarf_elf_access.c:1071. A
crafted ELF file may lead to a large offset value, which bigger than the
size of target_section heap chunk, then this WRITE_UNALIGNED() function
will write the value of &outval out of the heap chunk. The offset is a
64bit unsigned int value, so this is more than a heap overflow bug, but
also a out-of-bound write bug.
- CVE-2016-7510 (information disclosure)
An out-of-bounds read vulnerability was found in
read_line_table_program() in libdwarf.
- CVE-2016-7511 (denial of service)
An integer overflow vulnerability was found in dwarf_die_deliv.c causing
segmentation fault.
- CVE-2016-8679 (information disclosure)
An out of bounds heap read vulnerability was found in
_dwarf_get_size_of_val triggered by invoking dwarfdump command on
crafted file.
- CVE-2016-8680 (information disclosure)
An out of bounds heap read vulnerability was found in
_dwarf_get_abbrev_for_code triggered by invoking dwarfdump command on
crafted file.
- CVE-2016-8681 (information disclosure)
An out of bounds heap read vulnerability was found in
_dwarf_get_abbrev_for_code triggered by invoking dwarfdump command on
crafted file.
- CVE-2016-9275 (information disclosure)
An out of bounds heap read was found in _dwarf_skim_forms in
dwarf_macro5.c triggered by crafted input to dwarfdump utility.
- CVE-2016-9276 (information disclosure)
An out of bounds heap read was found in dwarf_get_aranges_list in
dwarf_arrange.c triggered by crafted input to dwarfdump utility.
- CVE-2016-9480 (information disclosure)
libdwarf allows context-dependent attackers to obtain sensitive
information or cause a denial of service by using the "malformed dwarf
file" approach, related to a "Heap Buffer Over-read" issue affecting the
dwarf_util.c component.
- CVE-2016-9558 (denial of service)
A negation overflow vulnerability was found in dwarf_leb.c triggered by
crafted input to dwarfdump utility.
Resolution
Upgrade to 20161124-1.
# pacman -Syu "libdwarf>=20161124-1"
The problems have been fixed upstream in version 20161124.
References
https://blogs.gentoo.org/ago/2016/11/19/libdwarf-negation-overflow-in-dwarf_leb-c/ https://blogs.gentoo.org/ago/2016/11/07/libdwarf-heap-based-buffer-overflow-in-dwarf_get_aranges_list-dwarf_arange-c/ https://seclists.org/oss-sec/2016/q2/393 https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://sourceforge.net/directory/libraries/mac/ https://seclists.org/oss-sec/2016/q4/144 https://sourceforge.net/directory/libraries/mac/ https://seclists.org/oss-sec/2016/q4/145 https://seclists.org/oss-sec/2016/q4/146 https://sourceforge.net/directory/libraries/ https://seclists.org/oss-sec/2016/q4/401 https://github.com/asarubbo/poc/blob/master/00026-libdwarf-heapoverflow-dwarf_get_aranges_list https://sourceforge.net/directory/libraries/ https://sourceforge.net/directory/libraries/mac/ https://www.prevanders.net/dwarfbug.html https://access.redhat.com/security/cve/CVE-2016-5027 https://access.redhat.com/security/cve/CVE-2016-5028 https://access.redhat.com/security/cve/CVE-2016-5029 https://access.redhat.com/security/cve/CVE-2016-5030 https://access.redhat.com/security/cve/CVE-2016-5031 https://access.redhat.com/security/cve/CVE-2016-5032 https://access.redhat.com/security/cve/CVE-2016-5033 https://access.redhat.com/security/cve/CVE-2016-5035 https://access.redhat.com/security/cve/CVE-2016-5037 https://access.redhat.com/security/cve/CVE-2016-5040 https://access.redhat.com/security/cve/CVE-2016-5041 https://access.redhat.com/security/cve/CVE-2016-5043 https://access.redhat.com/security/cve/CVE-2016-5044 https://access.redhat.com/security/cve/CVE-2016-7510 https://access.redhat.com/security/cve/CVE-2016-7511 https://access.redhat.com/security/cve/CVE-2016-8679 https://access.redhat.com/security/cve/CVE-2016-8680 https://access.redhat.com/security/cve/CVE-2016-8681 https://access.redhat.com/security/cve/CVE-2016-9275 https://access.redhat.com/security/cve/CVE-2016-9276 https://access.redhat.com/security/cve/CVE-2016-9480 https://access.redhat.com/security/cve/CVE-2016-9558
Workaround
None.