SB2019031807 - Arch Linux update for libelf 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019031807

SB2019031807 - Arch Linux update for libelf

Published: March 18, 2019 Updated: April 21, 2019

Security Bulletin ID SB2019031807
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2019-7148)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the libelf component due to improper handling of Executable and Linkable Format (ELF) files by the read_long_names function, as defined in the elf_begin.c source code file. A remote attacker can trick the victim into accessing an ELF file that submits malicious input and cause the affected application to improperly allocate excessive memory resources, resulting in a DoS condition.


2) Heap-based out-of-bounds read (CVE-ID: CVE-2019-7149)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of Executable and Linkable Format (ELF) files by the read_srclines function, as defined in the dwarf_getsrclines.c source code file. A remote attacker can trick the victim into opening a specially crafted an ELF file that submits malicious input, trigger a heap-based buffer over-read condition and cause the affected application to crash, resulting in a DoS condition.


3) Segmentation fault (CVE-ID: CVE-2019-7150)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient sanitization of user-supplied input by the elf64_xlatetom function as defined in the libelf/elf32_xlatetom.c source code file. A remote attacker can trick the victim into opening a specially crafted file that submits malicious input, trigger a segmentation fault and cause the affected application to crash, resulting in a DoS condition.


4) Memory corruption (CVE-ID: CVE-2019-7664)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper overflow checks by the elf_cvt_note function, as defined in the libelf/note_xlate.h source code file . A remote attacker can trick the victim into opening an Executable and Linkable Format (ELF) file that submits malicious input, trigger memory corruption and cause the affected application to crash, resulting in a DoS condition.

5) Segmentation fault (CVE-ID: CVE-2019-7665)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the ebl_core_note function due to improper check if the values of a NT_PLATFORM core file note is a zero-terminated string. A remote attacker can trick the victim into opening an Executable and Linkable Format (ELF) file that submits malicious input, trigger a segmentation fault that causes the affected application to crash, resulting in a DoS condition. 


Remediation

Install update from vendor's website.

References