Bug 1125008 - (CVE-2019-7664) VUL-1: CVE-2019-7664: elfutils: negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h
(CVE-2019-7664)
VUL-1: CVE-2019-7664: elfutils: negative-sized memcpy is attempted in elf_cvt...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Martin Liška
Security Team bot
https://smash.suse.de/issue/224492/
CVSSv3:SUSE:CVE-2019-7664:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-11 15:19 UTC by Robert Frohl
Modified: 2020-10-21 09:22 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (10.15 KB, application/x-core)
2019-02-12 10:28 UTC, Robert Frohl
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-11 15:19:44 UTC
CVE-2019-7664

In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in
libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input
causes a segmentation fault, leading to denial of service (program crash).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7664
https://sourceware.org/bugzilla/show_bug.cgi?id=24084
Comment 1 Robert Frohl 2019-02-12 10:23:33 UTC
Even though the code in all version we ship is different, I believe all codestreams are affected by looking at the upstream change [0]:
- SUSE:SLE-11-SP1:Update
- SUSE:SLE-11-SP2:Update
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update 

[0] https://sourceware.org/bugzilla/show_bug.cgi?id=24084#c1
Comment 2 Robert Frohl 2019-02-12 10:28:05 UTC
Created attachment 796583 [details]
QA Reproducer

$ eu-elflint -d POC
[..]
Segmentation fault (core dumped)
Comment 3 Robert Frohl 2019-02-12 10:49:13 UTC
Reproducer does not work with version 0.168 of elfutils.
Comment 5 João Moreira 2019-06-12 16:34:30 UTC
I wasn't able to reproduce the bug in any of the code streams.

SLE15: Not reproduced
SLE12: Not reproduced
SLE11-SP2: Not reproduced
SLE11-SP1: Not reproduced
Comment 6 Marcus Meissner 2020-01-08 09:50:01 UTC
-> reassign to current maintainer
Comment 7 Marcus Meissner 2020-07-31 07:01:14 UTC
_> closing as not for us