Bug 25955 - libdwarf new security issue CVE-2019-14249
Summary: libdwarf new security issue CVE-2019-14249
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-26 04:02 CET by David Walser
Modified: 2020-01-05 16:40 CET (History)
6 users (show)

See Also:
Source RPM: libdwarf-20170709-0.2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-26 04:02:51 CET 
Fedora has issued an advisory on October 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/23RIFYDK2JZDBZP6RPYXPF56HCYYKJDL/

The issue was fixed upstream on 2019-07-05.

Mageia 7 is also affected.
David Walser 2019-12-26 04:03:00 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-26 20:53:44 CET 
Assigning to DavidG because you have already done it ! (again...)
"new version: 20191104, fixes CVE-2019-14249 (mga#25955)"

CC'ing Thierry as the registered maintainer.

This will need an advisory when pushed to core/updates & QA.

CC: (none) => thierry.vignaud
Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2019-12-26 21:06:00 CET 
Indeed, fixed in libdwarf-20191104-1.mga8 by David.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 David GEIGER 2019-12-27 07:49:34 CET 
Done!
Comment 4 David Walser 2019-12-27 16:01:27 CET 
Advisory:
========================

Updated libdwarf packages fix security vulnerability:

dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to
cause a denial of service (division by zero) via an ELF file with a zero-size
section group (SHT_GROUP), as demonstrated by dwarfdump (CVE-2019-14249).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14249
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/23RIFYDK2JZDBZP6RPYXPF56HCYYKJDL/
========================

Updated packages in core/updates_testing:
========================
libdwarf1-20191104-1.mga7
libdwarf-devel-20191104-1.mga7
libdwarf-static-20191104-1.mga7
libdwarf-tools-20191104-1.mga7

from libdwarf-20191104-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 5 Len Lawrence 2020-01-02 17:44:51 CET 
Mageia7, x86_64

Installed lib64dwarf1-20170709 et al.
CVE-2019-13249
No reproducer available.

Attempt to define what a DWARF is:
A standardized debugging data format which uses Data Information Entries (DIEs) to represent variables, types, procedures etc.  DIEs can be nested and contain attributes referring to the objects they represent or other DIEs.  For further information see Wikipedia https://en.wikipedia.org/wiki/DWARF.

$ urpmq -i libdwarf-tools
[...]
C++ version of dwarfdump (dwarfdump2) command-line utilities
to access DWARF debug information.

dwarfdump is proving difficult to locate:
$ which dwarfdump -> nothing
$ which dwarfdump2 -> nothing
$ locate dwarfdump
/usr/bin/llvm-dwarfdump
...
$ apropos dwarfdump
llvm-dwarfdump (1)   - dump and verify DWARF debug information

Looks like that might be it, but how does llvm get in on the act one wonders?
Anybody know if this is the correct utility?

CC: (none) => tarazed25

Comment 6 Len Lawrence 2020-01-02 18:29:32 CET 
Follow-on from comment 5.  llvm-dwarfdump can certainly be run against ELF binaries to return a lot of information.

$ rpm -q --whatprovides llvm-dwarfdump
no package provides llvm-dwarfdump

??
Comment 7 Thomas Backlund 2020-01-02 18:46:23 CET 
$ urpmf llvm-dwarfdump
llvm:/usr/bin/llvm-dwarfdump

CC: (none) => tmb

Comment 8 Len Lawrence 2020-01-02 18:51:12 CET 
Ah.  Takk Thomas.

Updated all four packages.
# updatedb
$ locate dwarfdump
/usr/bin/dwarfdump
/usr/share/dwarfdump
/usr/share/dwarfdump/dwarfdump.conf
/usr/share/man/man1/dwarfdump.1.xz

omitting llvm references.

$ man dwarfdump
now returns help information.

$ dwarfdump -E /usr/bin/okular

Info for 31 sections:
  Nro Index Address    Size(h)    Size(d)  Name
    1 0x001 0x004002a8 0x0000001c 00000028 .interp
    2 0x002 0x004002c4 0x00000024 00000036 .note.gnu.build-id
[...]
   29 0x01d 0x00000000 0x00000dfc 00003580 .gnu_debugdata
   30 0x01e 0x00000000 0x00000124 00000292 .shstrtab
*** Summary: 139010 bytes for 30 section(s) ***

$ dwarfdump --print-info /usr/bin/stellarium
.debug_info

$ dwarfdump -F /usr/bin/gimp-2.10

.eh_frame

fde:
<    0><0x0048d020:0x00498580><><cie offset 0x0000001c::cie index     1><fde offset 0x00000048 length: 0x00000024>
       <eh aug data len 0x0>
        0x0048d020: <off cfa=16(r7) > <off r16=-8(cfa) > 
[...]
	16 DW_CFA_offset r14 -24
	18 DW_CFA_offset r15 -16
	20 DW_CFA_nop
	21 DW_CFA_nop
	22 DW_CFA_nop

We can take it that this is OK.
Len Lawrence 2020-01-03 11:14:20 CET

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-01-03 19:56:29 CET 
Once again you have exceeded any abilities I might have had, Len. Thank you.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 14:43:45 CET

Keywords: (none) => advisory

Comment 10 Mageia Robot 2020-01-05 16:40:09 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.