Opened 2 years ago
Closed 2 years ago
New minor version.
According to Arch, 5 "security issues" were fixed in this version. I don't see any rush to update it though, but here they are for documentation purposes:
In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.
In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).
An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service.
A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service.
An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils <= 0.175. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception.
The only thing I see concerning out of that list is the out-of-memory problem. I'm not sure it's worth breaking freeze to update though.
Again, this is put here for documentation purposes.
Promote to 8.4
Fixed at revision 11535.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.