Bug 1112726 (CVE-2018-18520)

Summary: VUL-1: CVE-2018-18520: elfutils: An Invalid Memory Address Dereference exists in the function elf_end in libelf
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Martin Liška <martin.liska>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, jmoreira, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/217732/
Whiteboard: CVSSv3:RedHat:CVE-2018-18520:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:SUSE:CVE-2018-18520:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2018-18520:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2018-18520:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: QA reproducer (1)
QA reproducer (2)

Description Robert Frohl 2018-10-22 11:18:37 UTC
CVE-2018-18520

An Invalid Memory Address Dereference exists in the function elf_end in
libelf in elfutils through v0.174. Although eu-size is intended to
support ar files inside ar files, handle_ar in size.c closes the outer
ar file before handling all inner entries. The vulnerability allows
attackers to cause a denial of service (application crash) with a
crafted ELF file.

upstream patch:
https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html

upstream ticket:
https://sourceware.org/bugzilla/show_bug.cgi?id=23787


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18520
http://www.cvedetails.com/cve/CVE-2018-18520/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520
Comment 1 Robert Frohl 2018-10-22 11:21:21 UTC
Created attachment 786675 [details]
QA reproducer (1)

$ eu-size eu-size_POC1
Segmentation fault (core dumped)
Comment 2 Robert Frohl 2018-10-22 11:24:15 UTC
Created attachment 786678 [details]
QA reproducer (2)

$ eu-size eu-size_POC2
Segmentation fault (core dumped)

Same results as the first reproducer, tested in LEAP docker container
Comment 3 Robert Frohl 2018-10-22 11:26:19 UTC
Hi João,
my investigation suggests that all codestreams are affected:
- SUSE:SLE-15:Update/elfutils
- SUSE:SLE-12:Update/elfutils
- SUSE:SLE-11-SP2:Update/elfutils
- SUSE:SLE-11-SP1:Update/elfutils
Comment 11 João Moreira 2019-06-12 16:02:30 UTC
SLE15: Reproduced and fixed
SLE12: Reproduced and fixed
SLE11-SP2: Reproduced and fixed
SLE11-SP1: Not reproduced, upstream patch applied
Comment 13 Swamp Workflow Management 2019-06-13 13:13:26 UTC
SUSE-SU-2019:1486-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    elfutils-0.168-4.5.3
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    elfutils-0.168-4.5.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    elfutils-0.168-4.5.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-06-20 01:15:17 UTC
openSUSE-SU-2019:1590-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
openSUSE Leap 15.1 (src):    elfutils-0.168-lp151.4.3.1
openSUSE Leap 15.0 (src):    elfutils-0.168-lp150.3.3.1
Comment 15 Swamp Workflow Management 2019-07-03 16:14:11 UTC
SUSE-SU-2019:1733-1: An update that fixes 15 vulnerabilities is now available.

Category: security (low)
Bug References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Server 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Server 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    elfutils-0.158-7.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    elfutils-0.158-7.7.2
SUSE CaaS Platform 3.0 (src):    elfutils-0.158-7.7.2
OpenStack Cloud Magnum Orchestration 7 (src):    elfutils-0.158-7.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2020-01-08 09:49:59 UTC
-> reassign to current maintainer
Comment 17 Marcus Meissner 2020-07-31 06:59:48 UTC
done
Comment 20 Swamp Workflow Management 2022-08-01 13:18:10 UTC
SUSE-SU-2022:2614-1: An update that fixes 19 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665
JIRA References: SLE-24501
Sources used:
openSUSE Leap 15.3 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Micro 5.2 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1
SUSE Linux Enterprise Micro 5.1 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-09-01 15:35:02 UTC
SUSE-SU-2022:2614-2: An update that fixes 19 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007
CVE References: CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665
JIRA References: SLE-24501
Sources used:
openSUSE Leap Micro 5.2 (src):    dwarves-1.22-150300.7.3.1, elfutils-0.177-150300.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.