[Buildroot] [PATCH] elfutils: security bump to version 0.174
Peter Korsgaard
peter at korsgaard.com
Mon Nov 26 08:44:09 UTC 2018
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2018-16062: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils
> before 2018-08-18 allows remote attackers to cause a denial of service
> (heap-based buffer over-read) via a crafted file.
> CVE-2018-16402: libelf/elf_end.c in elfutils 0.173 allows remote attackers
> to cause a denial of service (double free and application crash) or possibly
> have unspecified other impact because it tries to decompress twice.
> CVE-2018-16403: libdw in elfutils 0.173 checks the end of the attributes
> list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr
> in dwarf_hasattr.c, leading to a heap-based buffer over-read and an
> application crash.
> For more details, see the announcement:
> https://sourceware.org/ml/elfutils-devel/2018-q3/msg00116.html
> 0.172 and 0.173 also included fixes for crashes and hangs found by afl-fuzz
> (no CVEs assigned):
> https://sourceware.org/ml/elfutils-devel/2018-q2/msg00272.html
> https://sourceware.org/ml/elfutils-devel/2018-q2/msg00209.html
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.02.x and 2018.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list