Bug 1213464 (CVE-2021-33294)

Summary: VUL-0: CVE-2021-33294: elfutils: hang while process crafted file
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Michael Matz <matz>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: matz, security-team, stoyan.manolov, tonyj
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372807/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-33294:2.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-19 09:29:25 UTC 
CVE-2021-33294

In elfutils 0.183, an infinite loop was found in the function handle_symtab in
readelf.c .Which allows attackers to cause a denial of service (infinite loop)
via crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33294
https://www.cve.org/CVERecord?id=CVE-2021-33294
https://sourceware.org/bugzilla/show_bug.cgi?id=27501
https://sourceware.org/pipermail/elfutils-devel/2021q1/003607.html
Comment 1 Thomas Leroy 2023-07-19 09:30:02 UTC 
Should be affected:
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP3:Update
- SUSE:SLE-15:Update
Comment 2 Tony Jones 2023-07-19 15:19:53 UTC 
I'm not the maintainer of elfutils.
Comment 3 Thomas Leroy 2023-07-19 15:26:24 UTC 
(In reply to Tony Jones from comment #2)
> I'm not the maintainer of elfutils.

According to IBS:

$ isc maintainer -e -A elfutils                                                                                                                             
Defined in package: SUSE:SLE-11-SP1:GA/elfutils 
  bugowner of elfutils : 
   tonyj@suse.com

  maintainer of elfutils : 
   -

Defined in package: SUSE:SLE-11:GA/elfutils 
  bugowner of elfutils : 
   tonyj@suse.com

  maintainer of elfutils : 
   -
Comment 5 Tony Jones 2023-08-15 03:45:59 UTC 
I handed maintenance of elfutils over to the toolchain team several years ago.
I have no idea why the maintainer hasn't been updated. 
Ask Matz.
Comment 8 Michael Matz 2023-11-21 14:01:35 UTC 
Please dispute the CVE.  Like with binutils fuzzing it doesn't make sense to handle
this as a security bug.  If you get a hang with 'eu-readelf' on a crafted input
file you got from the internet then the right way of action is "don't do that".

I will cite from upstream bug report:

------------------
Apparently someone created a CVE for this bug:
https://nvd.nist.gov/vuln/detail/CVE-2021-33294

Note that we don't consider this a security issue:
https://sourceware.org/cgit/elfutils/tree/SECURITY

  Since most elfutils tools are run in short-lived, local, interactive,
  development context rather than remotely "in production", we generally
  treat malfunctions as ordinary bugs rather than security vulnerabilities.
------------------

I could handle this in a similar way to binutils and update elfutils from time
to time wholesale.  I could also backport the patch in this specific instance,
it seems simple enough.  But I fear that would set a precedent I don't want to
follow.  I don't want to risk the stability of our stuff based on totally non-sense
CVEs.  So... I would close this as INVALID or WONTFIX, but that needs to be done
by the security team.
Comment 9 Marcus Meissner 2023-11-27 16:00:41 UTC 
classified as "Wont Fix".
Comment 10 Marcus Meissner 2023-11-27 16:01:55 UTC 
i added a note to elfutils

SUSE considers elfutils a developer tool which does not receive untrusted input. Code processed by elfutils is being executed in any normal scenario, so security exploits could just inject regular binary code. For this reason we update elfutils ocassionaly to the current stable version to catch up on features and bugfixes. If you are processing untrusted binary code with elfutils we recommend doing so on a seperate system or VM.