Bug 1214589 (CVE-2020-21047)

Summary: VUL-0: CVE-2020-21047: elfutils: denial-of-service inside the libcpu component which is used by libasm
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, matz, mjambor, rfrohl, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/375958/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-21047:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-08-24 15:00:33 UTC 
CVE-2020-21047

The libcpu component which is used by libasm of elfutils version 0.177 (git
47780c9e), suffers from denial-of-service vulnerability caused by application
crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and
reachable assertion (CWE-617); to exploit the vulnerability, the attackers need
to craft certain ELF files which bypass the missing bound checks.

Upstream fix:
https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=99dc63b10b3878616b85df2dfd2e4e7103e414b8

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21047
https://www.cve.org/CVERecord?id=CVE-2020-21047
https://sourceware.org/bugzilla/show_bug.cgi?id=25068
https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=99dc63b10b3878616b85df2dfd2e4e7103e414b8
Comment 2 Tony Jones 2023-08-24 15:39:51 UTC 
I'm not the elfutils maintainer.  I handed it over to the toolchain team a long time ago.  Michael,  can you get whatever DB that maintains this info updated with the correct maintainer.  Thanks
Comment 7 Michael Matz 2024-01-22 15:03:21 UTC 
See https://sourceware.org/git/?p=elfutils.git;a=blob_plain;f=SECURITY;hb=HEAD
for the upstream policy regarding fuzzing-based "security vulnerabilities".  In particular:

  Since most elfutils tools are run in short-lived, local, interactive,
  development context rather than remotely "in production", we generally
  treat malfunctions as ordinary bugs rather than security vulnerabilities.

That applies to this CVE.  I suggest to close this as WONTFIX and appropriately mark elfutils generally or this CVE in particular in any customer-facing documentation.
Comment 8 Robert Frohl 2024-05-28 08:43:18 UTC 
closing