| Summary: | elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23], CVE-2018-18310, CVE-2018-1852[01], CVE-2019-714[689], CVE-2019-7150, CVE-2019-766[45] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, marja11, shlomif, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | elfutils-0.170-1.mga7.src.rpm | CVE: | |
| Status comment: | Patches available from Ubuntu | ||
| Attachments: |
A selection of POC before the update
POC tests after the updates |
||
|
Description
David Walser
2018-06-08 22:40:03 CEST
David Walser
2018-06-08 22:40:19 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Fedora has issued an advisory today (June 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EP43TAFBHQYHEVFEGFYOXUFAUCL3CQVB/ It fixes one additional issue.
David Walser
2018-06-08 22:46:01 CEST
Summary:
elfutils new security issues CVE-2017-760[7-9] and CVE-2017-761[0-3] =>
elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], and CVE-2018-8769 elfutils-0.171-1.mga7 uploaded for Cauldron by Shlomi. Version:
Cauldron =>
6 elfutils-0.172-1.mga7 uploaded for Cauldron by Shlomi. Not sure if it has more security fixes. Fedora has issued an advisory on September 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZR46Q3JKQSYY2NLPY6O2VEAJ4LFJXG2T/ It fixes three new issues (fixed in 0.174).
David Walser
2018-10-15 23:36:08 CEST
Summary:
elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], and CVE-2018-8769 =>
elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23]
Thomas Backlund
2018-10-16 17:30:29 CEST
CC:
(none) =>
tmb Fedora has issued an advisory on November 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WVO7IN2HHZYO3TYRFQTWRN2IXLMQF7GP/ It fixes three new issues. Whiteboard:
(none) =>
MGA6TOO Newest issues fixed upstream in 0.175, uploaded for Cauldron by Shlomi. Version:
Cauldron =>
6 Fedora has issued an advisory today (February 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z6QQTO2CLXUBNNOX4DEZ5XXWJYV3SYVN/ It fixes 6 new issues (fixed upstream in 0.176). Whiteboard:
(none) =>
MGA6TOO elfutils-0.176-1.mga7 uploaded for Cauldron by Shlomi. Whiteboard:
MGA6TOO =>
(none) Ubuntu has issued an advisory for this on June 10: https://usn.ubuntu.com/4012-1/ Updated package uploaded by Shlomi. Advisory to come later. Updated packages in core/updates_testing: ======================== elfutils-0.176-1.mga6 libelfutils-devel-0.176-1.mga6 libelfutils-static-devel-0.176-1.mga6 libelfutils1-0.176-1.mga6 from elfutils-0.176-1.mga6.src.rpm Assignee:
shlomif =>
qa-bugs RedHat has issued an advisory for this on August 6: https://access.redhat.com/errata/RHSA-2019:2197 According to RedHat bugs: CVE-2018-8769 not in upstream 0.170, introduced via Fedora patch we don't have. CVE-2019-7146 issue introduced in 0.175. CVE-2019-7148 caused by ASAN, not a real issue. Advisory: ======================== Updated elfutils packages fix security vulnerabilities: It was discovered that elfutils incorrectly handled certain malformed files. If a user or automated system were tricked into processing a specially crafted file, elfutils could be made to crash or consume resources, resulting in a denial of service (CVE-2017-7607, CVE-2017-7608, CVE-2017-7609, CVE-2017-7610, CVE-2017-7611, CVE-2017-7612, CVE-2017-7613, CVE-2018-16062, CVE-2018-16402, CVE-2018-16403, CVE-2018-18310, CVE-2018-18520, CVE-2018-18521, CVE-2019-7149, CVE-2019-7150, CVE-2019-7665). In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash) (CVE-2019-7664). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7607 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7608 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7610 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7611 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7612 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665 https://usn.ubuntu.com/3670-1/ https://usn.ubuntu.com/4012-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z6QQTO2CLXUBNNOX4DEZ5XXWJYV3SYVN/ Created attachment 11251 [details]
A selection of POC before the update
A few of the CVEs have been skipped. Post objections to qa-bugs.CC:
(none) =>
tarazed25 Created attachment 11252 [details]
POC tests after the updates
mga6, x86_64
Checked several of the CVEs before and after the updates. Apart from CVE-2018-16062, all the POC tests seem to indicate that the specific issues had already been fixed already or successfully treated by the latest fixes.
Tried a few functionality tests.
$ eu-readelf --strings=.gnu.version /bin/mogrify
String section [7] '.gnu.version' contains 38 bytes at offset 0x62a:
[ 0]
[...]
$ file calculate
calculate: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=327bbcffd3cec9bfcfda632fe8fa3d1cef39b21e, not stripped
$ eu-readelf -l calculate
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000040 0x0000000000400040 0x0000000000400040 0x0001f8 0x0001f8 R E 0x8
INTERP 0x000238 0x0000000000400238 0x0000000000400238 0x00001c 0x00001c R 0x1
[...]
$ eu-readelf -h /bin/ruby
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Ident Version: 1 (current)
OS/ABI: UNIX - System V
[...]
$ eu-readelf -I /bin/ruby
Histogram for bucket list length in section [ 4] '.gnu.hash' (total of 19 buckets):
Addr: 0x0000000000400298 Offset: 0x000298 Link to section: [ 5] '.dynsym'
Symbol Bias: 12
Bitmask Size: 8 bytes 32% bits set 2nd hash shift: 6
Length Number % of total Coverage
0 9 47.4%
1 9 47.4% 81.8%
2 1 5.3% 100.0%
Average number of tests: successful lookup: 1.090909
$ eu-strip -o strip.out -f extracted calculate
Both output files are stripped ELF files.$ ll calculate strip.out extracted
-rwxr-xr-x 1 lcl lcl 17336 Aug 13 19:12 calculate*
-rwxr-xr-x 1 lcl lcl 9560 Aug 13 19:24 extracted*
-rwxr-xr-x 1 lcl lcl 10552 Aug 13 19:24 strip.out*
calculate is an interactive fortran program but I do not know how to run it exactly. It does not work like bc.
$ eu-objdump -d calculate
calculate: elf64-elf_x86_64
Disassembly of section .init:
400860: 48 83 ec 08 sub $0x8,%rsp
400864: 48 8b 05 8d 17 20 00 mov 0x20178d(%rip),%rax # 0x601ff8
40086b: 48 85 c0 test %rax,%rax
40086e: 74 05 je 0x400875
400870: e8 3b 00 00 00 callq 0x4008b0
400875: 48 83 c4 08 add $0x8,%rsp
400879: c3 retq
Disassembly of section .plt:
400880: ff 35 82 17 20 00 pushq 0x201782(%rip) # 0x602008
400886: ff 25 84 17 20 00 jmpq *0x201784(%rip) # 0x602010
40088c: 0f 1f 40 00 nopl 0x0(%rax)
[...]
$ eu-objdump -s calculate > dump
lcl@canopus:elf $ head dump
calculate: elf64-elf_x86_64
Contents of section .interp:
0000 2f6c6962 36342f6c 642d6c69 6e75782d /lib64/ld-linux-
0010 7838362d 36342e73 6f2e3200 x86-64.so.2.
Contents of section .init:
0000 4883ec08 488b058d 17200048 85c07405 H...H.... .H..t.
0010 e83b0000 004883c4 08c3 .;...H....
$ eu-nm --extern-only calculate
[...]
Name Value Class Type Size Line Section
_ITM_deregisterTMCloneTable ||WEAK |NOTYPE || |UNDEF
_ITM_registerTMCloneTable ||WEAK |NOTYPE || |UNDEF
[...]
_gfortran_set_args@@GFORTRAN_1.0 ||GLOBAL|FUNC || |UNDEF
_gfortran_set_options@@GFORTRAN_1.0 ||GLOBAL|FUNC || |UNDEF
[...]
$ eu-elfcmp strip.out calculate
eu-elfcmp: strip.out calculate diff: section count
$ eu-elfcmp calculate extracted
eu-elfcmp: calculate extracted differ: section [1] '.interp' header
$ eu-size /bin/ruby
text data bss dec hex filename
2313 616 8 2937 b79 /bin/ruby
$ eu-size /bin/stellarium
text data bss dec hex filename
13717547 144285 277168 14139000 d7be78 /bin/stellarium
$ eu-strings /bin/stellarium | grep DATA | sort -u
QTMETADATA qbjs
QZip: Z_DATA_ERROR: Input data is corrupted
No failures or regressions detected. Giving this a 64bit OK.Whiteboard:
(none) =>
MGA6-64-OK Validating. Advisory in Comment 13. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-08-18 12:56:15 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0222.html Status:
NEW =>
RESOLVED |