Bug 23160 - elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23], CVE-2018-18310, CVE-2018-1852[01], CVE-2019-714[689], CVE-2019-7150, CVE-2019-766[45]
Summary: elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-08 22:40 CEST by David Walser
Modified: 2019-08-18 14:40 CEST (History)
6 users (show)

See Also:
Source RPM: elfutils-0.170-1.mga7.src.rpm
CVE:
Status comment: Patches available from Ubuntu


Attachments
A selection of POC before the update (3.65 KB, text/plain)
2019-08-13 18:58 CEST, Len Lawrence
Details
POC tests after the updates (1.44 KB, text/plain)
2019-08-13 19:54 CEST, Len Lawrence
Details

Description David Walser 2018-06-08 22:40:03 CEST
Ubuntu has issued an advisory on June 5:
https://usn.ubuntu.com/3670-1/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-08 22:40:19 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from Ubuntu

Comment 1 Marja Van Waes 2018-06-08 22:42:00 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-06-08 22:45:45 CEST
Fedora has issued an advisory today (June 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EP43TAFBHQYHEVFEGFYOXUFAUCL3CQVB/

It fixes one additional issue.
David Walser 2018-06-08 22:46:01 CEST

Summary: elfutils new security issues CVE-2017-760[7-9] and CVE-2017-761[0-3] => elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], and CVE-2018-8769

Comment 3 David Walser 2018-06-09 16:42:20 CEST
elfutils-0.171-1.mga7 uploaded for Cauldron by Shlomi.

Whiteboard: MGA6TOO => MGA5TOO
Version: Cauldron => 6

Comment 4 David Walser 2018-06-22 20:06:32 CEST
elfutils-0.172-1.mga7 uploaded for Cauldron by Shlomi.  Not sure if it has more security fixes.
Comment 5 David Walser 2018-10-15 23:35:47 CEST
Fedora has issued an advisory on September 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZR46Q3JKQSYY2NLPY6O2VEAJ4LFJXG2T/

It fixes three new issues (fixed in 0.174).
David Walser 2018-10-15 23:36:08 CEST

Summary: elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], and CVE-2018-8769 => elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23]

Thomas Backlund 2018-10-16 17:30:29 CEST

CC: (none) => tmb
Whiteboard: MGA5TOO => (none)

Comment 6 David Walser 2018-11-20 23:38:22 CET
Fedora has issued an advisory on November 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WVO7IN2HHZYO3TYRFQTWRN2IXLMQF7GP/

It fixes three new issues.

Summary: elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23] => elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23], CVE-2018-18310, CVE-2018-1852[01]
Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron

Comment 7 David Walser 2019-01-01 03:12:43 CET
Newest issues fixed upstream in 0.175, uploaded for Cauldron by Shlomi.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 8 David Walser 2019-02-19 00:40:38 CET
Fedora has issued an advisory today (February 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z6QQTO2CLXUBNNOX4DEZ5XXWJYV3SYVN/

It fixes 6 new issues (fixed upstream in 0.176).

Version: 6 => Cauldron
Whiteboard: (none) => MGA6TOO
Summary: elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23], CVE-2018-18310, CVE-2018-1852[01] => elfutils new security issues CVE-2017-760[7-9], CVE-2017-761[0-3], CVE-2018-8769, CVE-2018-16062, CVE-2018-1640[23], CVE-2018-18310, CVE-2018-1852[01], CVE-2019-714[689], CVE-2019-7150, CVE-2019-766[45]

Comment 9 David Walser 2019-03-16 14:46:00 CET
elfutils-0.176-1.mga7 uploaded for Cauldron by Shlomi.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 10 David Walser 2019-08-11 22:45:13 CEST
Ubuntu has issued an advisory for this on June 10:
https://usn.ubuntu.com/4012-1/
Comment 11 David Walser 2019-08-12 15:37:08 CEST
Updated package uploaded by Shlomi.  Advisory to come later.

Updated packages in core/updates_testing:
========================
elfutils-0.176-1.mga6
libelfutils-devel-0.176-1.mga6
libelfutils-static-devel-0.176-1.mga6
libelfutils1-0.176-1.mga6

from elfutils-0.176-1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 12 David Walser 2019-08-12 20:07:00 CEST
RedHat has issued an advisory for this on August 6:
https://access.redhat.com/errata/RHSA-2019:2197
Comment 13 David Walser 2019-08-12 21:31:06 CEST
According to RedHat bugs:
CVE-2018-8769 not in upstream 0.170, introduced via Fedora patch we don't have.
CVE-2019-7146 issue introduced in 0.175.
CVE-2019-7148 caused by ASAN, not a real issue.

Advisory:
========================

Updated elfutils packages fix security vulnerabilities:

It was discovered that elfutils incorrectly handled certain malformed files.
If a user or automated system were tricked into processing a specially crafted
file, elfutils could be made to crash or consume resources, resulting in a
denial of service (CVE-2017-7607, CVE-2017-7608, CVE-2017-7609, CVE-2017-7610,
CVE-2017-7611, CVE-2017-7612, CVE-2017-7613, CVE-2018-16062, CVE-2018-16402,
CVE-2018-16403, CVE-2018-18310, CVE-2018-18520, CVE-2018-18521, CVE-2019-7149,
CVE-2019-7150, CVE-2019-7665).

In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in
libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input
causes a segmentation fault, leading to denial of service (program crash)
(CVE-2019-7664).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7611
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7612
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665
https://usn.ubuntu.com/3670-1/
https://usn.ubuntu.com/4012-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z6QQTO2CLXUBNNOX4DEZ5XXWJYV3SYVN/
Comment 14 Len Lawrence 2019-08-13 18:58:57 CEST
Created attachment 11251 [details]
A selection of POC before the update

A few of the CVEs have been skipped.  Post objections to qa-bugs.

CC: (none) => tarazed25

Comment 15 Len Lawrence 2019-08-13 19:54:19 CEST
Created attachment 11252 [details]
POC tests after the updates
Comment 16 Len Lawrence 2019-08-13 21:00:50 CEST
mga6, x86_64

Checked several of the CVEs before and after the updates.  Apart from CVE-2018-16062, all the POC tests seem to indicate that the specific issues had already been fixed already or successfully treated by the latest fixes.

Tried a few functionality tests.

$ eu-readelf --strings=.gnu.version /bin/mogrify

String section [7] '.gnu.version' contains 38 bytes at offset 0x62a:
  [     0]  
[...]

$ file calculate
calculate: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=327bbcffd3cec9bfcfda632fe8fa3d1cef39b21e, not stripped
$ eu-readelf -l calculate
Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000000400040 0x0000000000400040 0x0001f8 0x0001f8 R E 0x8
  INTERP         0x000238 0x0000000000400238 0x0000000000400238 0x00001c 0x00001c R   0x1
[...]

$ eu-readelf -h /bin/ruby
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Ident Version:                     1 (current)
  OS/ABI:                            UNIX - System V
[...]
$ eu-readelf -I /bin/ruby

Histogram for bucket list length in section [ 4] '.gnu.hash' (total of 19 buckets):
 Addr: 0x0000000000400298  Offset: 0x000298  Link to section: [ 5] '.dynsym'
 Symbol Bias: 12
 Bitmask Size: 8 bytes  32% bits set  2nd hash shift: 6
 Length  Number  % of total  Coverage
      0       9       47.4%
      1       9       47.4%     81.8%
      2       1        5.3%    100.0%
 Average number of tests:   successful lookup: 1.090909

$ eu-strip -o strip.out -f extracted calculate
Both output files are stripped ELF files.$ ll calculate strip.out extracted
-rwxr-xr-x 1 lcl lcl 17336 Aug 13 19:12 calculate*
-rwxr-xr-x 1 lcl lcl  9560 Aug 13 19:24 extracted*
-rwxr-xr-x 1 lcl lcl 10552 Aug 13 19:24 strip.out*

calculate is an interactive fortran program but I do not know how to run it exactly.  It does not work like bc.

$ eu-objdump -d calculate
calculate: elf64-elf_x86_64

Disassembly of section .init:

  400860:    48 83 ec 08              sub     $0x8,%rsp
  400864:    48 8b 05 8d 17 20 00     mov     0x20178d(%rip),%rax        # 0x601ff8
  40086b:    48 85 c0                 test    %rax,%rax
  40086e:    74 05                    je      0x400875
  400870:    e8 3b 00 00 00           callq   0x4008b0
  400875:    48 83 c4 08              add     $0x8,%rsp
  400879:    c3                       retq
Disassembly of section .plt:

  400880:    ff 35 82 17 20 00        pushq   0x201782(%rip)             # 0x602008
  400886:    ff 25 84 17 20 00        jmpq    *0x201784(%rip)            # 0x602010
  40088c:    0f 1f 40 00              nopl    0x0(%rax)
[...]

$ eu-objdump -s calculate > dump
lcl@canopus:elf $ head dump
calculate: elf64-elf_x86_64

Contents of section .interp:
 0000 2f6c6962 36342f6c 642d6c69 6e75782d  /lib64/ld-linux-
 0010 7838362d 36342e73 6f2e3200           x86-64.so.2.

Contents of section .init:
 0000 4883ec08 488b058d 17200048 85c07405  H...H.... .H..t.
 0010 e83b0000 004883c4 08c3               .;...H....

$ eu-nm --extern-only calculate
[...]
Name                                             Value            Class  Type     Size                      Line Section

_ITM_deregisterTMCloneTable                     ||WEAK  |NOTYPE  ||             |UNDEF
_ITM_registerTMCloneTable                       ||WEAK  |NOTYPE  ||             |UNDEF
[...]
_gfortran_set_args@@GFORTRAN_1.0                ||GLOBAL|FUNC    ||             |UNDEF
_gfortran_set_options@@GFORTRAN_1.0             ||GLOBAL|FUNC    ||             |UNDEF
[...]

$ eu-elfcmp strip.out calculate
eu-elfcmp: strip.out calculate diff: section count
$ eu-elfcmp calculate extracted
eu-elfcmp: calculate extracted differ: section [1] '.interp' header

$ eu-size /bin/ruby
              text               data                bss                dec            hex filename
              2313                616                  8               2937            b79 /bin/ruby

$ eu-size /bin/stellarium
              text               data                bss                dec            hex filename
          13717547             144285             277168           14139000         d7be78 /bin/stellarium

$ eu-strings /bin/stellarium | grep DATA | sort -u
QTMETADATA  qbjs
QZip: Z_DATA_ERROR: Input data is corrupted

No failures or regressions detected.  Giving this a 64bit OK.

Whiteboard: (none) => MGA6-64-OK

Comment 17 Thomas Andrews 2019-08-18 02:49:27 CEST
Validating. Advisory in Comment 13.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-08-18 12:56:15 CEST

Keywords: (none) => advisory

Comment 18 Mageia Robot 2019-08-18 14:40:54 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0222.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.