[arch-security] [ASA-201612-4] libdwarf: multiple issues

Sun Dec 4 16:12:36 UTC 2016

Arch Linux Security Advisory ASA-201612-4
=========================================

Severity: High
Date    : 2016-12-03
CVE-ID  : CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030
          CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035
          CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043
          CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679
          CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276
          CVE-2016-9480 CVE-2016-9558
Package : libdwarf
Type    : multiple issues
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package libdwarf before version 20161124-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 20161124-1.

# pacman -Syu "libdwarf>=20161124-1"

The problems have been fixed upstream in version 20161124.

Workaround
==========

None.

Description
===========

- CVE-2016-5027 (denial of service)

A vulnerability was found in libdwarf. A malicious object with data
all-bits-on could bypass length checks which results in an out-of-
bounds read.

- CVE-2016-5028 (denial of service)

A null pointer dereference vulnerability was found in libdwarf. It
exists due to a corrupted object file. Libdwarf was not dealing with
empty (bss-like) sections since it really did not expect to see such in
sections it reads.

- CVE-2016-5029 (denial of service)

A null pointer dereference vulnerability was found in libdwarf in
create_fullest_file_path() function. This is due to corrupted dwarf and
the fix detects this corruption and if that null string pointer happens
undetected a static string is substituted so readers can notice the
situation.

- CVE-2016-5030 (denial of service)

A null pointer dereference vulnerability was found in libdwarf in
_dwarf_calculate_info_section_end_ptr() function.

- CVE-2016-5031 (information disclosure)

An out-of-bounds read vulnerability was found in libdwarf in
print_frame_inst_bytes() function.

- CVE-2016-5032 (information disclosure)

An out-of-bounds read vulnerability was found in libdwarf in
dwarf_get_xu_hash_entry() function.

- CVE-2016-5033 (information disclosure)

An out-of-bounds read vulnerability was found in libdwarf in
print_exprloc_content.

- CVE-2016-5035 (information disclosure)

An out-of-bounds read vulnerability was found in
dwarf_line_table_reader.c.

- CVE-2016-5037 (denial of service)

A null pointer dereference vulnerability was found in
_dwarf_load_section.

- CVE-2016-5040 (denial of service)

A vulnerability was found in libdwarf. If the data read for a
compilation unit header contains a too large length value the library
will read outside of its bounds and crash the application.

- CVE-2016-5041 (denial of service)

A vulnerability was found in libdwarf. If no DW_AT_name is present in a
debugging information entry using DWARF5 macros a null dereference in
dwarf_macro5.c will crash the application.

- CVE-2016-5043 (information disclosure)

A vulnerability was found in libdwarf. A function dwarf_dealloc() did
not check the Dwarf_Ptr space argument before using it which leads to
an out-of-bounds read.

- CVE-2016-5044 (arbitrary code execution)

A vulnerability was found in libdwarf in dwarf_elf_access.c:1071. A
crafted ELF file may lead to a large offset value, which bigger than the
size of target_section heap chunk, then this WRITE_UNALIGNED() function
will write the value of &outval out of the heap chunk. The offset is a
64bit unsigned int value, so this is more than a heap overflow bug, but
also a out-of-bound write bug.

- CVE-2016-7510 (information disclosure)

An out-of-bounds read vulnerability was found in
read_line_table_program() in libdwarf.

- CVE-2016-7511 (denial of service)

An integer overflow vulnerability was found in dwarf_die_deliv.c causing
segmentation fault.

- CVE-2016-8679 (information disclosure)

An out of bounds heap read vulnerability was found in
_dwarf_get_size_of_val triggered by invoking dwarfdump command on
crafted file.

- CVE-2016-8680 (information disclosure)

An out of bounds heap read vulnerability was found in
_dwarf_get_abbrev_for_code triggered by invoking dwarfdump command on
crafted file.

- CVE-2016-8681 (information disclosure)

An out of bounds heap read vulnerability was found in
_dwarf_get_abbrev_for_code triggered by invoking dwarfdump command on
crafted file.

- CVE-2016-9275 (information disclosure)

An out of bounds heap read was found in _dwarf_skim_forms in
dwarf_macro5.c triggered by crafted input to dwarfdump utility.

- CVE-2016-9276 (information disclosure)

An out of bounds heap read was found in dwarf_get_aranges_list in
dwarf_arrange.c triggered by crafted input to dwarfdump utility.

- CVE-2016-9480 (information disclosure)

libdwarf allows context-dependent attackers to obtain sensitive
information or cause a denial of service by using the "malformed dwarf
file" approach, related to a "Heap Buffer Over-read" issue affecting the
dwarf_util.c component.

- CVE-2016-9558 (denial of service)

A negation overflow vulnerability was found in dwarf_leb.c triggered by
crafted input to dwarfdump utility.

Impact
======

An attacker could obtain sensitive information, execute arbitrary code
or crash the application.

References
==========

https://blogs.gentoo.org/ago/2016/11/19/libdwarf-negation-overflow-in-dwarf_leb-c/
https://blogs.gentoo.org/ago/2016/11/07/libdwarf-heap-based-buffer-overflow-in-dwarf_get_aranges_list-dwarf_arange-c/
http://seclists.org/oss-sec/2016/q2/393
https://sourceforge.net/p/libdwarf/code/ci/a55b958926cc67f89a512ed30bb5a22b0adb10f4
https://sourceforge.net/p/libdwarf/code/ci/acae971371daa23a19358bc62204007d258fbc5e
https://sourceforge.net/p/libdwarf/code/ci/6fa3f710ee6f21bba7966b963033a91d77c952bd
https://sourceforge.net/p/libdwarf/code/ci/ac6673e32f3443a5d36c2217cb814000930b2c54
https://sourceforge.net/p/libdwarf/code/ci/82d8e007851805af0dcaaff41f49a2d48473334b
https://sourceforge.net/p/libdwarf/code/ci/b6ec2dfd850929821626ea63fb0a752076a3c08a
https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f
https://sourceforge.net/p/libdwarf/bugs/3/
https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13
https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2
http://seclists.org/oss-sec/2016/q4/144
https://sourceforge.net/p/libdwarf/code/ci/268c1f18d1d28612af3b72d7c670076b1b88e51c/tree/libdwarf/dwarf_util.c?diff=0b28b923c3bd9827d1d904feed2abadde4fa5de2
http://seclists.org/oss-sec/2016/q4/145
http://seclists.org/oss-sec/2016/q4/146
https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/
http://seclists.org/oss-sec/2016/q4/401
https://github.com/asarubbo/poc/blob/master/00026-libdwarf-heapoverflow-dwarf_get_aranges_list
https://sourceforge.net/p/libdwarf/code/ci/5dd64de047cd5ec479fb11fe7ff2692fd819e5e5/
https://sourceforge.net/p/libdwarf/bugs/5/
https://www.prevanders.net/dwarfbug.html
https://access.redhat.com/security/cve/CVE-2016-5027
https://access.redhat.com/security/cve/CVE-2016-5028
https://access.redhat.com/security/cve/CVE-2016-5029
https://access.redhat.com/security/cve/CVE-2016-5030
https://access.redhat.com/security/cve/CVE-2016-5031
https://access.redhat.com/security/cve/CVE-2016-5032
https://access.redhat.com/security/cve/CVE-2016-5033
https://access.redhat.com/security/cve/CVE-2016-5035
https://access.redhat.com/security/cve/CVE-2016-5037
https://access.redhat.com/security/cve/CVE-2016-5040
https://access.redhat.com/security/cve/CVE-2016-5041
https://access.redhat.com/security/cve/CVE-2016-5043
https://access.redhat.com/security/cve/CVE-2016-5044
https://access.redhat.com/security/cve/CVE-2016-7510
https://access.redhat.com/security/cve/CVE-2016-7511
https://access.redhat.com/security/cve/CVE-2016-8679
https://access.redhat.com/security/cve/CVE-2016-8680
https://access.redhat.com/security/cve/CVE-2016-8681
https://access.redhat.com/security/cve/CVE-2016-9275
https://access.redhat.com/security/cve/CVE-2016-9276
https://access.redhat.com/security/cve/CVE-2016-9480
https://access.redhat.com/security/cve/CVE-2016-9558
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161204/1f70333a/attachment.asc>