Red Hat Enterprise Linux 7: RHSA-2019-2197-01 Low: elfutils Security Fix

red hat

August 6, 2019

An update for elfutils is now available for Red Hat Enterprise Linux 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code.
The following packages have been upgraded to a later upstream version: elfutils (0.176). (BZ#1676504)
Security Fix(es):
* elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file (CVE-2018-16062)
* elfutils: Double-free due to double decompression of sections in crafted ELF causes crash (CVE-2018-16402)
* elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash (CVE-2018-16403)
* elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl (CVE-2018-18310)
* elfutils: eu-size cannot handle recursive ar files (CVE-2018-18520)
* elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c (CVE-2018-18521)
* elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw (CVE-2019-7149)
* elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c (CVE-2019-7150)
* elfutils: Out of bound write in elf_cvt_note in libelf/note_xlate.h (CVE-2019-7664)
* elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c (CVE-2019-7665)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Topics Covered

security advisory security issue bug fix low severity red hat enterprise elfutils update

References

https://access.redhat.com/security/cve/CVE-2018-16062 https://access.redhat.com/security/cve/CVE-2018-16402 https://access.redhat.com/security/cve/CVE-2018-16403 https://access.redhat.com/security/cve/CVE-2018-18310 https://access.redhat.com/security/cve/CVE-2018-18520 https://access.redhat.com/security/cve/CVE-2018-18521 https://access.redhat.com/security/cve/CVE-2019-7149 https://access.redhat.com/security/cve/CVE-2019-7150 https://access.redhat.com/security/cve/CVE-2019-7664 https://access.redhat.com/security/cve/CVE-2019-7665 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: elfutils-0.176-2.el7.src.rpm
noarch: elfutils-default-yama-scope-0.176-2.el7.noarch.rpm
x86_64: elfutils-0.176-2.el7.x86_64.rpm elfutils-debuginfo-0.176-2.el7.i686.rpm elfutils-debuginfo-0.176-2.el7.x86_64.rpm elfutils-libelf-0.176-2.el7.i686.rpm elfutils-libelf-0.176-2.el7.x86_64.rpm elfutils-libs-0.176-2.el7.i686.rpm elfutils-libs-0.176-2.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: elfutils-debuginfo-0.176-2.el7.i686.rpm elfutils-debuginfo-0.176-2.el7.x86_64.rpm elfutils-devel-0.176-2.el7.i686.rpm elfutils-devel-0.176-2.el7.x86_64.rpm elfutils-devel-static-0.176-2.el7.i686.rpm elfutils-devel-static-0.176-2.el7.x86_64.rpm elfutils-libelf-devel-0.176-2.el7.i686.rpm elfutils-libelf-devel-0.176-2.el7.x86_64.rpm elfutils-libelf-devel-static-0.176-2.el7.i686.rpm elfutils-libelf-devel-static-0.176-2.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: elfutils-0.176-2.el7.src.rpm
noarch: elfutils-default-yama-scope-0.176-2.el7.noarch.rpm
x86_64: elfutils-0.176-2.el7.x86_64.rpm elfutils-debuginfo-0.176-2.el7.i686.rpm elfutils-debuginfo-0.176-2.el7.x86_64.rpm elfutils-libelf-0.176-2.el7.i686.rpm elfutils-libelf-0.176-2.el7.x86_64.rpm elfutils-libs-0.176-2.el7.i686.rpm

Read the Full Advisory

Severity

low

Lowest

Low

Medium

High

Critical

Advisory ID: RHSA-2019:2197-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2019:2197

Issue date: 2019-08-06

Topic

An update for elfutils is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics Covered

security advisory security issue bug fix low severity red hat enterprise elfutils update

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

Bugs Fixed

1623752 - CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file

1625050 - CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash

1625055 - CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash

1642604 - CVE-2018-18310 elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl

1646477 - CVE-2018-18520 elfutils: eu-size cannot handle recursive ar files

1646482 - CVE-2018-18521 elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c

1671443 - CVE-2019-7149 elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw

1671446 - CVE-2019-7150 elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c

1677536 - CVE-2019-7664 elfutils: Out of bound write in elf_cvt_note in libelf/note_xlate.h

1677538 - CVE-2019-7665 elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c

1704754 - elfutils xlate (cross-endian) functions might not convert an ELF Note header

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Red Hat Enterprise Linux 7: RHSA-2019-2197-01 Low: elfutils Security Fix

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Red Hat Enterprise Linux 7: RHSA-2019-2197-01 Low: elfutils Security Fix

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!