Arch Linux Security Advisory ASA-201606-23 ========================================== Severity: High Date : 2016-06-25 CVE-ID : CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030 CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5034 CVE-2016-5035 CVE-2016-5036 CVE-2016-5037 CVE-2016-5038 CVE-2016-5039 CVE-2016-5040 CVE-2016-5041 CVE-2016-5042 CVE-2016-5043 CVE-2016-5044 Package : libdwarf Type : arbitrary code execution Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libdwarf before version 20160613-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 20160613-1. # pacman -Syu "libdwarf>=20160613-1" The problems have been fixed upstream in version 20160613. Workaround ========== None. Description =========== - CVE-2016-5027 (denial of service) Multiple NULL pointer dereference issues in several functions of libdwarf/dwarf_leb.c, where leb128_length was wrongly assumed non-NULL. - CVE-2016-5028 (denial of service) NULL pointer dereference issue in print_frame_inst_bytes(). - CVE-2016-5029 (denial of service) NULL pointer dereference issue in create_fullest_file_path(). - CVE-2016-5030 (denial of service) NULL pointer dereference issue in _dwarf_calculate_info_section_end_ptr(). - CVE-2016-5031 (denial of service) Out-of-bounds read bug in print_frame_inst_bytes(). - CVE-2016-5032 (denial of service) Out-of-bounds read bug in dwarf_get_xu_hash_entry(). - CVE-2016-5033 (denial of service) Out-of-bounds read bug in print_exprloc_content(). - CVE-2016-5034 (arbitrary code execution) Invalid write in dwarf_elf_access.c. - CVE-2016-5035 (denial of service) Out-of-bounds read bug in _dwarf_read_line_table_header(). - CVE-2016-5036 (denial of service) Out-of-bounds read bug in dump_block(). - CVE-2016-5037 (denial of service) NULL pointer dereference issue in _dwarf_load_section(). - CVE-2016-5038 (denial of service) NULL pointer dereference issue in dwarf_get_macro_startend_file(). - CVE-2016-5039 (denial of service) Out-of-bounds read bug in get_attr_value(). - CVE-2016-5040 (denial of service) Out-of-bounds read bug. - CVE-2016-5041 (denial of service) NULL pointer dereference issue. - CVE-2016-5042 (denial of service) Infinite loop leading to out-of-bounds read in dwarf_get_aranges_list(). - CVE-2016-5043 (denial of service) Out-of-bounds read bug in dwarf_dealloc(). - CVE-2016-5044 (arbitrary code execution) Heap-overflow. Impact ====== An attacker might be able to execute arbitrary code on the affected host with a crafted ELF file, or crafted dwarf sections in a object file. References ========== http://seclists.org/oss-sec/2016/q2/393 https://www.prevanders.net/dwarfbug.html https://access.redhat.com/security/cve/CVE-2016-5027 https://access.redhat.com/security/cve/CVE-2016-5028 https://access.redhat.com/security/cve/CVE-2016-5029 https://access.redhat.com/security/cve/CVE-2016-5030 https://access.redhat.com/security/cve/CVE-2016-5031 https://access.redhat.com/security/cve/CVE-2016-5032 https://access.redhat.com/security/cve/CVE-2016-5033 https://access.redhat.com/security/cve/CVE-2016-5034 https://access.redhat.com/security/cve/CVE-2016-5035 https://access.redhat.com/security/cve/CVE-2016-5036 https://access.redhat.com/security/cve/CVE-2016-5037 https://access.redhat.com/security/cve/CVE-2016-5038 https://access.redhat.com/security/cve/CVE-2016-5039 https://access.redhat.com/security/cve/CVE-2016-5040 https://access.redhat.com/security/cve/CVE-2016-5041 https://access.redhat.com/security/cve/CVE-2016-5042 https://access.redhat.com/security/cve/CVE-2016-5043 https://access.redhat.com/security/cve/CVE-2016-5044