Bug 1213464 (CVE-2021-33294) - VUL-0: CVE-2021-33294: elfutils: hang while process crafted file
Summary: VUL-0: CVE-2021-33294: elfutils: hang while process crafted file
Status: RESOLVED FIXED
Alias: CVE-2021-33294
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Michael Matz
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/372807/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-33294:2.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-19 09:29 UTC by Thomas Leroy
Modified: 2023-11-27 16:01 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-07-19 09:29:25 UTC 
CVE-2021-33294

In elfutils 0.183, an infinite loop was found in the function handle_symtab in
readelf.c .Which allows attackers to cause a denial of service (infinite loop)
via crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33294
https://www.cve.org/CVERecord?id=CVE-2021-33294
https://sourceware.org/bugzilla/show_bug.cgi?id=27501
https://sourceware.org/pipermail/elfutils-devel/2021q1/003607.html
Comment 1 Thomas Leroy 2023-07-19 09:30:02 UTC 
Should be affected:
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP3:Update
- SUSE:SLE-15:Update
Comment 2 Tony Jones 2023-07-19 15:19:53 UTC 
I'm not the maintainer of elfutils.
Comment 3 Thomas Leroy 2023-07-19 15:26:24 UTC 
(In reply to Tony Jones from comment #2)
> I'm not the maintainer of elfutils.

According to IBS:

$ isc maintainer -e -A elfutils                                                                                                                             
Defined in package: SUSE:SLE-11-SP1:GA/elfutils 
  bugowner of elfutils : 
   tonyj@suse.com

  maintainer of elfutils : 
   -

Defined in package: SUSE:SLE-11:GA/elfutils 
  bugowner of elfutils : 
   tonyj@suse.com

  maintainer of elfutils : 
   -
Comment 5 Tony Jones 2023-08-15 03:45:59 UTC 
I handed maintenance of elfutils over to the toolchain team several years ago.
I have no idea why the maintainer hasn't been updated. 
Ask Matz.
Comment 8 Michael Matz 2023-11-21 14:01:35 UTC 
Please dispute the CVE.  Like with binutils fuzzing it doesn't make sense to handle
this as a security bug.  If you get a hang with 'eu-readelf' on a crafted input
file you got from the internet then the right way of action is "don't do that".

I will cite from upstream bug report:

------------------
Apparently someone created a CVE for this bug:
https://nvd.nist.gov/vuln/detail/CVE-2021-33294

Note that we don't consider this a security issue:
https://sourceware.org/cgit/elfutils/tree/SECURITY

  Since most elfutils tools are run in short-lived, local, interactive,
  development context rather than remotely "in production", we generally
  treat malfunctions as ordinary bugs rather than security vulnerabilities.
------------------

I could handle this in a similar way to binutils and update elfutils from time
to time wholesale.  I could also backport the patch in this specific instance,
it seems simple enough.  But I fear that would set a precedent I don't want to
follow.  I don't want to risk the stability of our stuff based on totally non-sense
CVEs.  So... I would close this as INVALID or WONTFIX, but that needs to be done
by the security team.
Comment 9 Marcus Meissner 2023-11-27 16:00:41 UTC 
classified as "Wont Fix".
Comment 10 Marcus Meissner 2023-11-27 16:01:55 UTC 
i added a note to elfutils

SUSE considers elfutils a developer tool which does not receive untrusted input. Code processed by elfutils is being executed in any normal scenario, so security exploits could just inject regular binary code. For this reason we update elfutils ocassionaly to the current stable version to catch up on features and bugfixes. If you are processing untrusted binary code with elfutils we recommend doing so on a seperate system or VM.