Bug 20557

Summary: elfutils new security issues CVE-2016-10254 and CVE-2016-10255
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, marja11, sysadmin-bugs, tarazed25
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK
Source RPM: elfutils-0.160-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-03-23 14:24:59 CET 
CVEs have been assigned for two security issues in elfutils:
http://openwall.com/lists/oss-security/2017/03/22/2
http://openwall.com/lists/oss-security/2017/03/22/1
David Walser 2017-03-23 14:25:07 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-24 08:52:53 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 3 Nicolas Lécureuil 2017-05-02 21:32:12 CEST 
Fixed in cauldron

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)
CC: (none) => mageia

Comment 4 David Walser 2017-12-29 23:43:51 CET 
Advisory:
========================

Updated elfutils packages fix security vulnerabilities:

The elfutils package has been updated to version 0.169 to fix several bugs that
can lead to memory allocation failures or heap overflows (CVE-2016-10254,
CVE-2016-10255, CVE-2017-7607, CVE-2017-7608, CVE-2017-7609, CVE-2017-7610,
CVE-2017-7611, CVE-2017-7612, CVE-2017-7613).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7611
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7612
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7613
http://openwall.com/lists/oss-security/2017/03/22/2
http://openwall.com/lists/oss-security/2017/03/22/1
http://openwall.com/lists/oss-security/2017/04/10/8
http://openwall.com/lists/oss-security/2017/04/10/9
http://openwall.com/lists/oss-security/2017/04/10/11
http://openwall.com/lists/oss-security/2017/04/10/12
http://openwall.com/lists/oss-security/2017/04/10/13
http://openwall.com/lists/oss-security/2017/04/10/14
http://openwall.com/lists/oss-security/2017/04/10/15
========================

Updated packages in core/updates_testing:
========================
elfutils-0.169-1.mga5
libelfutils-devel-0.169-1.mga5
libelfutils-static-devel-0.169-1.mga5
libelfutils1-0.169-1.mga5

from elfutils-0.169-1.mga5.src.rpm

Assignee: shlomif => qa-bugs

Dave Hodgins 2017-12-31 12:25:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Herman Viaene 2018-01-02 17:19:51 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Copied test from bug 15085
$ cd /tmp
$ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
$ ls
firefox_tester5/    MozillaMailnews/
gpg-ElQFK2/         mozilla_tester50/
gpg-OHrST5/         systemd-private-e2179f62be054f17b969741c7b302e73-colord.service-8IW2om/
hsperfdata_root/    systemd-private-e2179f62be054f17b969741c7b302e73-rtkit-daemon.service-itBVol/
httpd_lua_shm.4354  test.a
$ eu-ar -xv test.a
x - 
eu-ar: cannot rename temporary file to : Bestand of map bestaat niet
Same result, should be OK

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 6 Len Lawrence 2018-01-02 19:28:45 CET 
Mageia 5 :: x86_64

Updated the packages without issues.

Could not find an unstripped ELF file to work with.  Everything in /bin is stripped.
$ eu-readelf --strings=.gnu.version mogrify
String section [7] '.gnu.version' contains 38 bytes at offset 0x62a:
  [     0]  
.....................

Found an object file compiled from a test C program and ran eu-nm on it to list all the symbols.
$ eu-nm -a test.out
Symbols from test.out:
Name                                   Value            Class  Type     Size                      Line Section
                                      |0000000000000000|LOCAL |FILE    |0000000000000000|             |ABS
                                      |0000000000000000|LOCAL |FILE    |0000000000000000|             |ABS
_DYNAMIC                              |0000000000600e10|LOCAL |OBJECT  |0000000000000000|             |.dynamic
_GLOBAL_OFFSET_TABLE_                 |0000000000601000|LOCAL |OBJECT  |0000000000000000|             |.got.plt
_IO_stdin_used                        |0000000000400a60|GLOBAL|OBJECT  |0000000000000004|    init.c:24|.rodata
_ITM_deregisterTMCloneTable           ||WEAK  |NOTYPE  ||             |UNDEF
_ITM_registerTMCloneTable             ||WEAK  |NOTYPE  ||             |UNDEF
..........................................

Have to assume that is all correct.
If you have not worked in this field it is difficult to make sense of the multitude of options listed against the various elf tools.
Guessing here, stripping out symbols:
$ eu-strip -o teststripped.out -f extracted test.out
$ ll extracted *.out
-rwxr-xr-x 1 lcl lcl  9104 Jan  2 18:12 extracted*
-rwxr-xr-x 1 lcl lcl 12716 Jan  2 17:55 test.out*
-rwxr-xr-x 1 lcl lcl  6384 Jan  2 18:12 teststripped.out*

'extracted' contains binary data but can be examined:
 $ strings extracted
"Fl|
../sysdeps/x86_64/start.S
/home/iurt/rpmbuild/BUILD/glibc-2.20/csu
GNU AS 2.24
../sysdeps/x86_64/crti.S
/home/iurt/rpmbuild/BUILD/glibc-2.20/csu
GNU AS 2.24
../sysdeps/x86_64/crtn.S
......................................
/usr/lib/gcc/x86_64-mageia-linux-gnu/4.9.2/include
elf-init.c
stddef.h
../sysdeps/x86_64
crtn.S
long unsigned int
short unsigned int
short int
GNU C 4.9.2 -mno-tls-direct-seg-refs -mtune=generic -march=x86-64 -g -O2 -std=gnu99 -fgnu89-inline -finline-functions -fmerge-all-constants -frounding-math

and so on.  Cannot remember what this program did but the stripped version output compares well with the original.
$ ./test.out
line = 6267 (test.out) R 8053 6267 8053 34818 6267 4194304 79 0 0 0 0 0 0 0 1 0 1 0 11096728 4345856 148 18446744073709551615 4194304 4197300 140721394302144 140721394301448 140664266384896 0 0 0 0 0 0 0 17 1 0 0 0 0 0 6295032 6295680 9715712 140721394307664 140721394307675 140721394307675 140721394311149 0

tdev = 34818
line = 8053 (bash) S 7948 8053 8053 34818 6267 4194304 21712 6386706 0 209 15 0 10908 496 1 0 1 0 8755 15249408 1344 18446744073709551615 4194304 4996188 140730212367088 140730212365736 139792632102394 0 65536 3670020 1266777851 1 0 0 17 0 0 0 0 0 0 7095200 7142344 9113600 140730212374952 140730212374957 140730212374957 140730212376558 0

tdev = 34818

$ ./teststripped.out
line = 6350 (teststripped.ou) R 8053 6350 8053 34818 6350 4194304 82 0 0 0 0 0 0 0 1 0 1 0 11100066 4345856 176 18446744073709551615 4194304 4197300 140725177221232 140725177220536 140319361910272 0 0 0 0 0 0 0 17 0 0 0 0 0 0 6295032 6295680 14422016 140725177229880 140725177229899 140725177229899 140725177233381 0

tdev = 34818
line = 8053 (bash) S 7948 8053 8053 34818 6350 4194304 21872 6386915 0 209 15 0 10908 496 1 0 1 0 8755 15249408 1344 18446744073709551615 4194304 4996188 140730212367088 140730212365736 139792632102394 0 65536 3670020 1266777851 1 0 0 17 7 0 0 0 0 0 7095200 7142344 9113600 140730212374952 140730212374957 140730212374957 140730212376558 0

tdev = 34818

That looks good.  Apologies for the verbosity.
On the basis that fools rush in etc. etc. I shall take this no further and OK it forthwith.

CC: (none) => tarazed25
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Len Lawrence 2018-01-03 01:16:12 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-01-03 11:33:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0027.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED