Bug 1125008 (CVE-2019-7664)

Summary: VUL-1: CVE-2019-7664: elfutils: negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Martin Liška <martin.liska>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, jmoreira, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/224492/
Whiteboard: CVSSv3:SUSE:CVE-2019-7664:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: QA Reproducer

Description Robert Frohl 2019-02-11 15:19:44 UTC
CVE-2019-7664

In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in
libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input
causes a segmentation fault, leading to denial of service (program crash).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7664
https://sourceware.org/bugzilla/show_bug.cgi?id=24084
Comment 1 Robert Frohl 2019-02-12 10:23:33 UTC
Even though the code in all version we ship is different, I believe all codestreams are affected by looking at the upstream change [0]:
- SUSE:SLE-11-SP1:Update
- SUSE:SLE-11-SP2:Update
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update 

[0] https://sourceware.org/bugzilla/show_bug.cgi?id=24084#c1
Comment 2 Robert Frohl 2019-02-12 10:28:05 UTC
Created attachment 796583 [details]
QA Reproducer

$ eu-elflint -d POC
[..]
Segmentation fault (core dumped)
Comment 3 Robert Frohl 2019-02-12 10:49:13 UTC
Reproducer does not work with version 0.168 of elfutils.
Comment 5 João Moreira 2019-06-12 16:34:30 UTC
I wasn't able to reproduce the bug in any of the code streams.

SLE15: Not reproduced
SLE12: Not reproduced
SLE11-SP2: Not reproduced
SLE11-SP1: Not reproduced
Comment 6 Marcus Meissner 2020-01-08 09:50:01 UTC
-> reassign to current maintainer
Comment 7 Marcus Meissner 2020-07-31 07:01:14 UTC
_> closing as not for us