--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2018-1eec1f0d17
2018-10-02 16:00:51.985672
--------------------------------------------------------------------------------Name        : elfutils
Product     : Fedora 28
Version     : 0.174
Release     : 1.fc28
URL         : https://elfutils.org/
Summary     : A collection of utilities and DSOs to handle ELF files and DWARF data
Description :
Elfutils is a collection of utilities, including stack (to show
backtraces), nm (for listing symbols from object files), size
(for listing the section sizes of an object or archive file),
strip (for discarding symbols), readelf (to see the raw ELF file
structures), elflint (to check for well-formed ELF files) and
elfcompress (to compress or decompress ELF sections).

--------------------------------------------------------------------------------Update Information:

Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403. unstrip: Handle
SHT_GROUP sections. strip: Handle mixed (out of order) allocated/non-allocated
sections. elfcompress: Don't rewrite input file if no section data needs
updating.  Try harder to keep same file mode bits (suid) on rewrite. libelf,
libdw and all tools now handle extended shnum and shstrndx correctly.
--------------------------------------------------------------------------------ChangeLog:

* Fri Sep 14 2018 Mark Wielaard  - 0.174-1
- New upstream release
  - libelf, libdw and all tools now handle extended shnum and shstrndx
    correctly (#1608390).
  - elfcompress: Don't rewrite input file if no section data needs
    updating.  Try harder to keep same file mode bits (suid) on rewrite.
  - strip: Handle mixed (out of order) allocated/non-allocated sections.
  - unstrip: Handle SHT_GROUP sections.
  - backends: RISCV and M68K now have backend implementations to
    generate CFI based backtraces.
  - Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403
    (#1623753, #1625051, #1625056).
* Tue Jul 31 2018 Florian Weimer  - 0.173-8
- Rebuild with fixed binutils
* Sun Jul 29 2018 Mark Wielaard  - 0.173-7
- Add elfutils-0.173-strip-alloc-nonalloc.patch (#1609577)
* Tue Jul 24 2018 Mark Wielaard 
- Drop libstdc++-devel BuildRequires. gcc-c++ will pull it in.
* Tue Jul 24 2018 Mark Wielaard  - 0.173-6
- Update elfutils-0.173-annobingroup.patch.
* Sat Jul 21 2018 Mark Wielaard  - 0.173-5
- Add BuildRequires gcc-c++ for demangle support.
- Add elfutils-0.173-annobingroup.patch.
* Sat Jul 21 2018 Mark Wielaard  - 0.173-4
- Add elfutils-0.173-elfcompress.patch (#1607044)
* Thu Jul 12 2018 Fedora Release Engineering  - 0.173-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul  9 2018 Mark Wielaard  - 0.173-2
- Update elfutils-0.173-new-notes-hack.patch for new annobin note.
- Unbreak cyclic systemd dependency for buildroot container (#1599083)
* Fri Jun 29 2018 Mark Wielaard  - 0.173-1
- New upstream release
  - More fixes for crashes and hangs found by afl-fuzz. In particular
    various functions now detect and break infinite loops caused by bad
    DIE tree cycles.
  - readelf: Will now lookup the size and signedness of constant value
    types to display them correctly (and not just how they were encoded).
  - libdw: New function dwarf_next_lines to read CU-less .debug_line data.
    dwarf_begin_elf now accepts ELF files containing just .debug_line
    or .debug_frame sections (which can be read without needing a DIE
    tree from the .debug_info section).
    Removed dwarf_getscn_info, which was never implemented.
  - backends: Handle BPF simple relocations.
    The RISCV backends now handles ABI specific CFI and knows about
    RISCV register types and names.
* Wed Jun 20 2018 Mark Wielaard  - 0.172-2
- Add elfutils-0.172-robustify.patch.
* Mon Jun 11 2018 Mark Wielaard  - 0.172-1
- New upstream release.
  - No functional changes compared to 0.171.
  - Various bug fixes in libdw and eu-readelf dealing with bad DWARF5
    data. Thanks to running the afl fuzzer on eu-readelf and various
    testcases.
  - eu-readelf -N is ~15% faster.
* Fri Jun  1 2018 Mark Wielaard  - 0.171-1
- New upstream release.
  - DWARF5 and split dwarf, including GNU DebugFission, support.
  - readelf: Handle all new DWARF5 sections.
    --debug-dump=info+ will show split unit DIEs when found.
    --dwarf-skeleton can be used when inspecting a .dwo file.
    Recognizes GNU locviews with --debug-dump=loc.
  - libdw: New functions dwarf_die_addr_die, dwarf_get_units,
    dwarf_getabbrevattr_data and dwarf_cu_info.
    libdw will now try to resolve the alt file on first use
    when not set yet with dwarf_set_alt.
    dwarf_aggregate_size() now works with multi-dimensional arrays.
  - libdwfl: Use process_vm_readv when available instead of ptrace.
  - backends: Add a RISC-V backend.
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1625050 - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash
        https://bugzilla.redhat.com/show_bug.cgi?id=1625050
  [ 2 ] Bug #1625055 - CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash
        https://bugzilla.redhat.com/show_bug.cgi?id=1625055
  [ 3 ] Bug #1623752 - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file
        https://bugzilla.redhat.com/show_bug.cgi?id=1623752
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-1eec1f0d17' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Fedora 28: elfutils Security Update

October 2, 2018
Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403

Summary

Elfutils is a collection of utilities, including stack (to show

backtraces), nm (for listing symbols from object files), size

(for listing the section sizes of an object or archive file),

strip (for discarding symbols), readelf (to see the raw ELF file

structures), elflint (to check for well-formed ELF files) and

elfcompress (to compress or decompress ELF sections).

Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403. unstrip: Handle

SHT_GROUP sections. strip: Handle mixed (out of order) allocated/non-allocated

sections. elfcompress: Don't rewrite input file if no section data needs

updating. Try harder to keep same file mode bits (suid) on rewrite. libelf,

libdw and all tools now handle extended shnum and shstrndx correctly.

* Fri Sep 14 2018 Mark Wielaard - 0.174-1

- New upstream release

- libelf, libdw and all tools now handle extended shnum and shstrndx

correctly (#1608390).

- elfcompress: Don't rewrite input file if no section data needs

updating. Try harder to keep same file mode bits (suid) on rewrite.

- strip: Handle mixed (out of order) allocated/non-allocated sections.

- unstrip: Handle SHT_GROUP sections.

- backends: RISCV and M68K now have backend implementations to

generate CFI based backtraces.

- Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403

(#1623753, #1625051, #1625056).

* Tue Jul 31 2018 Florian Weimer - 0.173-8

- Rebuild with fixed binutils

* Sun Jul 29 2018 Mark Wielaard - 0.173-7

- Add elfutils-0.173-strip-alloc-nonalloc.patch (#1609577)

* Tue Jul 24 2018 Mark Wielaard

- Drop libstdc++-devel BuildRequires. gcc-c++ will pull it in.

* Tue Jul 24 2018 Mark Wielaard - 0.173-6

- Update elfutils-0.173-annobingroup.patch.

* Sat Jul 21 2018 Mark Wielaard - 0.173-5

- Add BuildRequires gcc-c++ for demangle support.

- Add elfutils-0.173-annobingroup.patch.

* Sat Jul 21 2018 Mark Wielaard - 0.173-4

- Add elfutils-0.173-elfcompress.patch (#1607044)

* Thu Jul 12 2018 Fedora Release Engineering - 0.173-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Mon Jul 9 2018 Mark Wielaard - 0.173-2

- Update elfutils-0.173-new-notes-hack.patch for new annobin note.

- Unbreak cyclic systemd dependency for buildroot container (#1599083)

* Fri Jun 29 2018 Mark Wielaard - 0.173-1

- New upstream release

- More fixes for crashes and hangs found by afl-fuzz. In particular

various functions now detect and break infinite loops caused by bad

DIE tree cycles.

- readelf: Will now lookup the size and signedness of constant value

types to display them correctly (and not just how they were encoded).

- libdw: New function dwarf_next_lines to read CU-less .debug_line data.

dwarf_begin_elf now accepts ELF files containing just .debug_line

or .debug_frame sections (which can be read without needing a DIE

tree from the .debug_info section).

Removed dwarf_getscn_info, which was never implemented.

- backends: Handle BPF simple relocations.

The RISCV backends now handles ABI specific CFI and knows about

RISCV register types and names.

* Wed Jun 20 2018 Mark Wielaard - 0.172-2

- Add elfutils-0.172-robustify.patch.

* Mon Jun 11 2018 Mark Wielaard - 0.172-1

- New upstream release.

- No functional changes compared to 0.171.

- Various bug fixes in libdw and eu-readelf dealing with bad DWARF5

data. Thanks to running the afl fuzzer on eu-readelf and various

testcases.

- eu-readelf -N is ~15% faster.

* Fri Jun 1 2018 Mark Wielaard - 0.171-1

- New upstream release.

- DWARF5 and split dwarf, including GNU DebugFission, support.

- readelf: Handle all new DWARF5 sections.

--debug-dump=info+ will show split unit DIEs when found.

--dwarf-skeleton can be used when inspecting a .dwo file.

Recognizes GNU locviews with --debug-dump=loc.

- libdw: New functions dwarf_die_addr_die, dwarf_get_units,

dwarf_getabbrevattr_data and dwarf_cu_info.

libdw will now try to resolve the alt file on first use

when not set yet with dwarf_set_alt.

dwarf_aggregate_size() now works with multi-dimensional arrays.

- libdwfl: Use process_vm_readv when available instead of ptrace.

- backends: Add a RISC-V backend.

[ 1 ] Bug #1625050 - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash

https://bugzilla.redhat.com/show_bug.cgi?id=1625050

[ 2 ] Bug #1625055 - CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash

https://bugzilla.redhat.com/show_bug.cgi?id=1625055

[ 3 ] Bug #1623752 - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file

https://bugzilla.redhat.com/show_bug.cgi?id=1623752

su -c 'dnf upgrade --advisory FEDORA-2018-1eec1f0d17' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/keys

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

FEDORA-2018-1eec1f0d17 2018-10-02 16:00:51.985672 Product : Fedora 28 Version : 0.174 Release : 1.fc28 URL : https://elfutils.org/ Summary : A collection of utilities and DSOs to handle ELF files and DWARF data Description : Elfutils is a collection of utilities, including stack (to show backtraces), nm (for listing symbols from object files), size (for listing the section sizes of an object or archive file), strip (for discarding symbols), readelf (to see the raw ELF file structures), elflint (to check for well-formed ELF files) and elfcompress (to compress or decompress ELF sections). Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403. unstrip: Handle SHT_GROUP sections. strip: Handle mixed (out of order) allocated/non-allocated sections. elfcompress: Don't rewrite input file if no section data needs updating. Try harder to keep same file mode bits (suid) on rewrite. libelf, libdw and all tools now handle extended shnum and shstrndx correctly. * Fri Sep 14 2018 Mark Wielaard - 0.174-1 - New upstream release - libelf, libdw and all tools now handle extended shnum and shstrndx correctly (#1608390). - elfcompress: Don't rewrite input file if no section data needs updating. Try harder to keep same file mode bits (suid) on rewrite. - strip: Handle mixed (out of order) allocated/non-allocated sections. - unstrip: Handle SHT_GROUP sections. - backends: RISCV and M68K now have backend implementations to generate CFI based backtraces. - Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403 (#1623753, #1625051, #1625056). * Tue Jul 31 2018 Florian Weimer - 0.173-8 - Rebuild with fixed binutils * Sun Jul 29 2018 Mark Wielaard - 0.173-7 - Add elfutils-0.173-strip-alloc-nonalloc.patch (#1609577) * Tue Jul 24 2018 Mark Wielaard - Drop libstdc++-devel BuildRequires. gcc-c++ will pull it in. * Tue Jul 24 2018 Mark Wielaard - 0.173-6 - Update elfutils-0.173-annobingroup.patch. * Sat Jul 21 2018 Mark Wielaard - 0.173-5 - Add BuildRequires gcc-c++ for demangle support. - Add elfutils-0.173-annobingroup.patch. * Sat Jul 21 2018 Mark Wielaard - 0.173-4 - Add elfutils-0.173-elfcompress.patch (#1607044) * Thu Jul 12 2018 Fedora Release Engineering - 0.173-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Mon Jul 9 2018 Mark Wielaard - 0.173-2 - Update elfutils-0.173-new-notes-hack.patch for new annobin note. - Unbreak cyclic systemd dependency for buildroot container (#1599083) * Fri Jun 29 2018 Mark Wielaard - 0.173-1 - New upstream release - More fixes for crashes and hangs found by afl-fuzz. In particular various functions now detect and break infinite loops caused by bad DIE tree cycles. - readelf: Will now lookup the size and signedness of constant value types to display them correctly (and not just how they were encoded). - libdw: New function dwarf_next_lines to read CU-less .debug_line data. dwarf_begin_elf now accepts ELF files containing just .debug_line or .debug_frame sections (which can be read without needing a DIE tree from the .debug_info section). Removed dwarf_getscn_info, which was never implemented. - backends: Handle BPF simple relocations. The RISCV backends now handles ABI specific CFI and knows about RISCV register types and names. * Wed Jun 20 2018 Mark Wielaard - 0.172-2 - Add elfutils-0.172-robustify.patch. * Mon Jun 11 2018 Mark Wielaard - 0.172-1 - New upstream release. - No functional changes compared to 0.171. - Various bug fixes in libdw and eu-readelf dealing with bad DWARF5 data. Thanks to running the afl fuzzer on eu-readelf and various testcases. - eu-readelf -N is ~15% faster. * Fri Jun 1 2018 Mark Wielaard - 0.171-1 - New upstream release. - DWARF5 and split dwarf, including GNU DebugFission, support. - readelf: Handle all new DWARF5 sections. --debug-dump=info+ will show split unit DIEs when found. --dwarf-skeleton can be used when inspecting a .dwo file. Recognizes GNU locviews with --debug-dump=loc. - libdw: New functions dwarf_die_addr_die, dwarf_get_units, dwarf_getabbrevattr_data and dwarf_cu_info. libdw will now try to resolve the alt file on first use when not set yet with dwarf_set_alt. dwarf_aggregate_size() now works with multi-dimensional arrays. - libdwfl: Use process_vm_readv when available instead of ptrace. - backends: Add a RISC-V backend. [ 1 ] Bug #1625050 - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash https://bugzilla.redhat.com/show_bug.cgi?id=1625050 [ 2 ] Bug #1625055 - CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash https://bugzilla.redhat.com/show_bug.cgi?id=1625055 [ 3 ] Bug #1623752 - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file https://bugzilla.redhat.com/show_bug.cgi?id=1623752 su -c 'dnf upgrade --advisory FEDORA-2018-1eec1f0d17' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Change Log

References

Update Instructions

Severity
Product : Fedora 28
Version : 0.174
Release : 1.fc28
URL : https://elfutils.org/
Summary : A collection of utilities and DSOs to handle ELF files and DWARF data