Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Fedora 29: FEDORA-2018-32c8599fe1 Critical: Elfutils Double-Free Issue

fedora
Calendar Grey September 30, 2018
Dist Fedora Esm H88
This revision addresses critical issues related to libc, mitigating potential vulnerabilities linked to unforeseen crashes and memory overruns in specific modules.
Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403

Summary

Elfutils is a collection of utilities, including stack (to show

backtraces), nm (for listing symbols from object files), size

(for listing the section sizes of an object or archive file),

strip (for discarding symbols), readelf (to see the raw ELF file

structures), elflint (to check for well-formed ELF files) and

elfcompress (to compress or decompress ELF sections).

Fixes CVE-2018-16062, CVE-2018-16402 and CVE-2018-16403. unstrip: Handle

SHT_GROUP sections. strip: Handle mixed (out of order) allocated/non-allocated

sections. elfcompress: Don't rewrite input file if no section data needs

updating. Try harder to keep same file mode bits (suid) on rewrite. libelf,

libdw and all tools now handle extended shnum and shstrndx correctly.

[ 1 ] Bug #1625050 - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash

https://bugzilla.redhat.com/show_bug.cgi?id=1625050

[ 2 ] Bug #1625055 - CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash

https://bugzilla.redhat.com/show_bug.cgi?id=1625055

[ 3 ] Bug #1623752 - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file

https://bugzilla.redhat.com/show_bug.cgi?id=1623752

su -c 'dnf upgrade --advisory FEDORA-2018-32c8599fe1' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory fedora update critical elfutils crash buffer over-read

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 29
Version: 0.174
Release: 1.fc29
URL: https://sourceware.org/elfutils/
Summary: A collection of utilities and DSOs to handle ELF files and DWARF data

Topics%20covered

Topics Covered

security advisory fedora update critical elfutils crash buffer over-read

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here