[Buildroot] [PATCH] elfutils: security bump to version 0.174

Peter Korsgaard peter at korsgaard.com
Mon Nov 26 08:44:09 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2018-16062: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils
 > before 2018-08-18 allows remote attackers to cause a denial of service
 > (heap-based buffer over-read) via a crafted file.

 > CVE-2018-16402: libelf/elf_end.c in elfutils 0.173 allows remote attackers
 > to cause a denial of service (double free and application crash) or possibly
 > have unspecified other impact because it tries to decompress twice.

 > CVE-2018-16403: libdw in elfutils 0.173 checks the end of the attributes
 > list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr
 > in dwarf_hasattr.c, leading to a heap-based buffer over-read and an
 > application crash.

 > For more details, see the announcement:
 > https://sourceware.org/ml/elfutils-devel/2018-q3/msg00116.html

 > 0.172 and 0.173 also included fixes for crashes and hangs found by afl-fuzz
 > (no CVEs assigned):
 > https://sourceware.org/ml/elfutils-devel/2018-q2/msg00272.html
 > https://sourceware.org/ml/elfutils-devel/2018-q2/msg00209.html

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.08.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list