Bug 1012823 - (CVE-2016-9480) VUL-1: CVE-2016-9480: libdwarf: heap buffer overflow in dwarf_util.c
(CVE-2016-9480)
VUL-1: CVE-2016-9480: libdwarf: heap buffer overflow in dwarf_util.c
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Dirk Mueller
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-30 14:07 UTC by Alexander Bergmann
Modified: 2018-02-19 15:27 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-11-30 14:07:42 UTC
rh#1399990

libdwarf allows context-dependent attackers to obtain sensitive information or cause a denial of service by using the "malformed dwarf file" approach, related to a "Heap Buffer Over-read" issue affecting the dwarf_util.c component.

References:
DW201611-006
https://www.prevanders.net/dwarfbug.html

Upstream bug (currently private):
https://sourceforge.net/p/libdwarf/bugs/5/

Upstream patch:
https://sourceforge.net/p/libdwarf/code/ci/5dd64de047cd5ec479fb11fe7ff2692fd819e5e5/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1399990
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9480
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9480.html
http://www.cvedetails.com/cve/CVE-2016-9480/
https://www.prevanders.net/dwarfbug.html
https://sourceforge.net/p/libdwarf/code/ci/5dd64de047cd5ec479fb11fe7ff2692fd819e5e5/
https://sourceforge.net/p/libdwarf/bugs/5/
Comment 2 Swamp Workflow Management 2016-11-30 23:00:52 UTC
bugbot adjusting priority
Comment 3 Dirk Mueller 2017-01-02 14:16:42 UTC
do you really want me to only fix this bug out of the 20 pending CVEs for libdwarf? also this is not really used in any security relevant context in leap, why bother?
Comment 4 Bernhard Wiedemann 2017-01-02 15:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (1012823) was mentioned in
https://build.opensuse.org/request/show/448518 Factory / libdwarf
Comment 5 Karol Babioch 2018-01-16 10:48:40 UTC
Fixed in Factory, not fixing in Leap.