Attachment 11251 Details for Bug 23160 – A selection of POC before the update

A selection of POC before the update

before (text/plain), 3.65 KB, created by Len Lawrence on 2019-08-13 18:58:57 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Len Lawrence

Created: 2019-08-13 18:58:57 CEST

Size: 3.65 KB

patch

obsolete

>Checking a few CVEs before updating.  Sticking to the SUSE reports because they are likely to lead to useful information.
>
>CVE-2017-7607
>https://bugzilla.suse.com/show_bug.cgi?id=1033084&_ga=2.35399139.310507506.1565709153-120638559.1565709153
>$ eu-readelf -a 00225-elfutils-heapoverflow-handle_gnu_hash
>This generates output similar to the SUSE tests upstream but there is no abort or core dump, which might indicate that the issue had been fixed before the update.
>
>CVE-2017-7608
>https://bugzilla.suse.com/show_bug.cgi?id=1033085&_ga=2.34342499.310507506.1565709153-120638559.1565709153
>$ eu-readelf -a 00226-elfutils-heapoverflow-ebl_object_note_type_name
>Again there is a dump indicating a corrupt file whereas upstream 
>"memory exhausted" is reported.
>
>CVE-2017-7609
>https://bugzilla.suse.com/show_bug.cgi?id=1033086&_ga=2.33687907.310507506.1565709153-120638559.1565709153
>$ eu-readelf -a 00227-elfutils-memallocfailure
>Reports a corrupt file and ends with:
>eu-readelf: invalid sh_link value in section 1
>eu-readelf: invalid sh_link value in section 17
>WARNING: Couldn't uncompress section [26]
>eu-readelf: invalid sh_link value in section 26
>
>which agrees with the SUSE report.
>
>There seems to be a pattern here...  Skipping ahead:
>
>CVE-2018-16062
>https://sourceware.org/bugzilla/show_bug.cgi?id=23541
>$ eu-addr2line -e addr2line-buffer-over-flow1
>This hangs.
>
>CVE-2018-16402
>https://sourceware.org/bugzilla/show_bug.cgi?id=23528
>$ eu-readelf -S Double-free-libelf
>Leads to an Abort (core dumped).
>
>CVE-2018-16403
>https://sourceware.org/bugzilla/show_bug.cgi?id=23529
>$ eu-readelf --debug-dump=abbrev Buffer-over-readelf
>[...]
>Abbreviation section at offset 45:
>
>Abbreviation section at offset 46:
> [    2] offset: 46, children: no, tag: template_value_parameter
>          attr: ??? (0), form: ??? (0), offset: 0x2e
>          attr: ??? (0), form: ??? (0), offset: 0x30
>
>Abbreviation section at offset 53:
> *** error while reading abbreviation: invalid DWARF
>
>CVE-2018-18310
>https://bugzilla.suse.com/show_bug.cgi?id=1111973&_ga=2.60564847.310507506.1565709153-120638559.1565709153
>$ eu-stack --core=POC-stack
>Segmentation fault (core dumped)
>
>Agrees with upstream which notes that this changes to an ABORT after the update.
>
>CVE-2018-18520
>https://bugzilla.suse.com/show_bug.cgi?id=1112726&_ga=2.101327171.310507506.1565709153-120638559.1565709153
>Two reproducers are posted.
>$ eu-size eu-size_POC1
>Segmentation fault (core dumped)
>$ eu-size eu-size_POC2
>Segmentation fault (core dumped)
>These are the expected responses.
>
>CVE-2018-18521
>https://bugzilla.suse.com/show_bug.cgi?id=1112723&_ga=2.33686883.310507506.1565709153-120638559.1565709153
>$ eu-ranlib POC1
>Floating point exception (core dumped)
>$ eu-ranlib POC2
>Floating point exception (core dumped)
>Results as expected.
>
>CVE-2019-7149
>https://sourceware.org/bugzilla/show_bug.cgi?id=24102
>Three reproducers:
>$ eu-nm -C hbo_POC1
>eu-nm: hbo_POC1: entry size in section 4 `.bss' is not what we expect
>[...]
>$ eu-nm -C hbo_POC2
>[...]
>eu-nm: hbo_POC2: INTERNAL ERROR 1294 (0.169): invalid data
>$ eu-nm -C hbo_POC3
>[...]
>eu-nm: hbo_POC3: INTERNAL ERROR 1294 (0.169): invalid data
>
>CVE-2019-7150
>https://sourceware.org/bugzilla/show_bug.cgi?id=24103
>Two POC.
>$ eu-stack --core=POC1.1
>Segmentation fault (core dumped)
>Under ASAN upstream this aborted.
>$ eu-stack --core=POC2.1
>Segmentation fault (core dumped)
>Aborted under ASAN.
>
>CVE-2019-7665
>https://bugzilla.suse.com/show_bug.cgi?id=1125007&_ga=2.34678371.310507506.1565709153-120638559.1565709153
>$ eu-readelf -a POC1.2
>[...]
>eu-readelf: cannot get content of note section: invalid operation
>This  message occurs in the valgrind trace as well but upstream valgrind reports "Invalid read of size 1" right at the beginning.
>
>
>
>

Checking a few CVEs before updating.  Sticking to the SUSE reports because they are likely to lead to useful information.

CVE-2017-7607
https://bugzilla.suse.com/show_bug.cgi?id=1033084&_ga=2.35399139.310507506.1565709153-120638559.1565709153
$ eu-readelf -a 00225-elfutils-heapoverflow-handle_gnu_hash
This generates output similar to the SUSE tests upstream but there is no abort or core dump, which might indicate that the issue had been fixed before the update.

CVE-2017-7608
https://bugzilla.suse.com/show_bug.cgi?id=1033085&_ga=2.34342499.310507506.1565709153-120638559.1565709153
$ eu-readelf -a 00226-elfutils-heapoverflow-ebl_object_note_type_name
Again there is a dump indicating a corrupt file whereas upstream 
"memory exhausted" is reported.

CVE-2017-7609
https://bugzilla.suse.com/show_bug.cgi?id=1033086&_ga=2.33687907.310507506.1565709153-120638559.1565709153
$ eu-readelf -a 00227-elfutils-memallocfailure
Reports a corrupt file and ends with:
eu-readelf: invalid sh_link value in section 1
eu-readelf: invalid sh_link value in section 17
WARNING: Couldn't uncompress section [26]
eu-readelf: invalid sh_link value in section 26

which agrees with the SUSE report.

There seems to be a pattern here...  Skipping ahead:

CVE-2018-16062
https://sourceware.org/bugzilla/show_bug.cgi?id=23541
$ eu-addr2line -e addr2line-buffer-over-flow1
This hangs.

CVE-2018-16402
https://sourceware.org/bugzilla/show_bug.cgi?id=23528
$ eu-readelf -S Double-free-libelf
Leads to an Abort (core dumped).

CVE-2018-16403
https://sourceware.org/bugzilla/show_bug.cgi?id=23529
$ eu-readelf --debug-dump=abbrev Buffer-over-readelf
[...]
Abbreviation section at offset 45:

Abbreviation section at offset 46:
 [    2] offset: 46, children: no, tag: template_value_parameter
          attr: ??? (0), form: ??? (0), offset: 0x2e
          attr: ??? (0), form: ??? (0), offset: 0x30

Abbreviation section at offset 53:
 *** error while reading abbreviation: invalid DWARF

CVE-2018-18310
https://bugzilla.suse.com/show_bug.cgi?id=1111973&_ga=2.60564847.310507506.1565709153-120638559.1565709153
$ eu-stack --core=POC-stack
Segmentation fault (core dumped)

Agrees with upstream which notes that this changes to an ABORT after the update.

CVE-2018-18520
https://bugzilla.suse.com/show_bug.cgi?id=1112726&_ga=2.101327171.310507506.1565709153-120638559.1565709153
Two reproducers are posted.
$ eu-size eu-size_POC1
Segmentation fault (core dumped)
$ eu-size eu-size_POC2
Segmentation fault (core dumped)
These are the expected responses.

CVE-2018-18521
https://bugzilla.suse.com/show_bug.cgi?id=1112723&_ga=2.33686883.310507506.1565709153-120638559.1565709153
$ eu-ranlib POC1
Floating point exception (core dumped)
$ eu-ranlib POC2
Floating point exception (core dumped)
Results as expected.

CVE-2019-7149
https://sourceware.org/bugzilla/show_bug.cgi?id=24102
Three reproducers:
$ eu-nm -C hbo_POC1
eu-nm: hbo_POC1: entry size in section 4 `.bss' is not what we expect
[...]
$ eu-nm -C hbo_POC2
[...]
eu-nm: hbo_POC2: INTERNAL ERROR 1294 (0.169): invalid data
$ eu-nm -C hbo_POC3
[...]
eu-nm: hbo_POC3: INTERNAL ERROR 1294 (0.169): invalid data

CVE-2019-7150
https://sourceware.org/bugzilla/show_bug.cgi?id=24103
Two POC.
$ eu-stack --core=POC1.1
Segmentation fault (core dumped)
Under ASAN upstream this aborted.
$ eu-stack --core=POC2.1
Segmentation fault (core dumped)
Aborted under ASAN.

CVE-2019-7665
https://bugzilla.suse.com/show_bug.cgi?id=1125007&_ga=2.34678371.310507506.1565709153-120638559.1565709153
$ eu-readelf -a POC1.2
[...]
eu-readelf: cannot get content of note section: invalid operation
This  message occurs in the valgrind trace as well but upstream valgrind reports "Invalid read of size 1" right at the beginning.

Actions: View

Attachments on bug 23160: 11251 | 11252