Your message dated Fri, 07 Jul 2017 20:49:00 +0000
with message-id <e1dtabq-00095k...@fasolo.debian.org>
and subject line Bug#866968: fixed in dwarfutils 20170416-3
has caused the Debian Bug report #866968,
regarding dwarfutils: CVE-2017-9998: SEGV libdwarf/dwarf_leb.c:291 in
_dwarf_decode_s_leb128_chk
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
866968: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866968
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dwarfutils
Version: 20170416-2
Severity: normal
Tags: security upstream
Hi,
the following vulnerability was published for dwarfutils.
CVE-2017-9998[0]:
| The _dwarf_decode_s_leb128_chk function in dwarf_leb.c in libdwarf
| through 2017-06-28 allows remote attackers to cause a denial of service
| (Segmentation fault) via a crafted file.
$~/dwarfutils-20170416# ./dwarfdump/dwarfdump ~/POC1
.debug_info
ASAN:DEADLYSIGNAL
=================================================================
==985==ERROR: AddressSanitizer: SEGV on unknown address 0x60462c598e45 (pc
0x5611cdb92696 bp 0x7ffdcfc1c2a0 sp 0x7ffdcfc1c250 T0)
#0 0x5611cdb92695 in _dwarf_decode_s_leb128_chk libdwarf/dwarf_leb.c:291
#1 0x5611cdbc56a6 in _dwarf_get_size_of_val libdwarf/dwarf_util.c:371
#2 0x5611cdbb941d in _dwarf_get_value_ptr libdwarf/dwarf_query.c:519
#3 0x5611cdbb9e6c in dwarf_attr libdwarf/dwarf_query.c:614
#4 0x5611cdb9acab in dwarf_srcfiles dwarf_line.c:326
#5 0x5611cdb1a770 in print_one_die_section dwarfdump/print_die.c:812
#6 0x5611cdb18326 in print_infos dwarfdump/print_die.c:371
#7 0x5611cdb0599e in process_one_file dwarfdump/dwarfdump.c:1293
#8 0x5611cdb035d7 in main dwarfdump/dwarfdump.c:562
#9 0x7fa2134172b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#10 0x5611cdaffa09 in _start
(/home/user/dwarfutils-20170416/dwarfdump/dwarfdump+0x4fa09)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libdwarf/dwarf_leb.c:291 in
_dwarf_decode_s_leb128_chk
==985==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9998
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dwarfutils
Source-Version: 20170416-3
We believe that the bug you reported is fixed in the latest version of
dwarfutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Wolff <fabi.wo...@arcor.de> (supplier of updated dwarfutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Jul 2017 14:31:46 +0200
Source: dwarfutils
Binary: dwarfdump libdwarf-dev libdwarf1
Architecture: source
Version: 20170416-3
Distribution: unstable
Urgency: medium
Maintainer: Fabian Wolff <fabi.wo...@arcor.de>
Changed-By: Fabian Wolff <fabi.wo...@arcor.de>
Closes: 866155 866968
Description:
dwarfdump - utility to dump DWARF debug information from ELF objects
libdwarf1 - library to consume and produce DWARF debug information (runtime)
libdwarf-dev - library to consume and produce DWARF debug information
Changes:
dwarfutils (20170416-3) unstable; urgency=medium
.
* Update debian/copyright.
* Upgrade to Standards-Version 4.0.0 in debian/control (no changes).
* Add patch 02-fix-CVE-2017-9998.patch to fix CVE-2017-9998
(Closes: #866968).
* Add override_dh_compress target in debian/rules to make sure the
upstream changelog is compressed (Closes: #866155).
Checksums-Sha1:
18c4d7c9c6265ddd3b5cfaec14823bde7d94fbe5 2090 dwarfutils_20170416-3.dsc
2406424f317a16ba586016ff83763a411a096901 1777385
dwarfutils_20170416.orig.tar.gz
a406a2f289dc8a9c1dd0ed79699d7bf23518b668 11284
dwarfutils_20170416-3.debian.tar.xz
Checksums-Sha256:
41c25435b95cbbbfc8bc15e9c19a7b54f95b8828f23bc85d7168e6494728244e 2090
dwarfutils_20170416-3.dsc
d340c395217d78a67bec069f9991130622626a87cdba73131d091cb2f1005d81 1777385
dwarfutils_20170416.orig.tar.gz
063cef0f3f4d459f80258d2ef5e9ef6bbd5f59e80fc0ed2f054ff6e807fd1016 11284
dwarfutils_20170416-3.debian.tar.xz
Files:
e3c7f969c70bd3c8a5a885bc152e0d80 2090 libs optional dwarfutils_20170416-3.dsc
6a53d2b55d3ee2da396d4d0711e5c251 1777385 libs optional
dwarfutils_20170416.orig.tar.gz
f961706ff23ed5ed1b672744dd522bf0 11284 libs optional
dwarfutils_20170416-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERsscqJ6jt0N2dh25FeCa9N9RgsgFAllf63gACgkQFeCa9N9R
gsiyew/8CrO1KxOn1kam6IF7JXALWpaPiLbajF3UHMvlw//ZTvfrxRp2YfxwjLgI
Ob34FD2W4i4swr+w+TfxOUx9L2B4LlhO3D9qhLXGSkJv5nqaee703KoXiTe8a7nS
TZDzIlXx1zLEbBJmT301x2L8cgd63cZGq/HLkMPG77KT1m4JSd0u/peEdhzCWZMs
W2NdlTjAWFFB8UBverzeLCJ93isjLJNjSUvKCglkTLoDWpcx8SAeTpZA0xa5IC8t
wUs6KKmPZc5jatwhJKn78cDu+bf0QVQEq/i7/CigJQ0A/joNioqjoz9grEUpJDyI
aPdqbsjnU5hnX2GsiO7LKTzSfy6JZeL0dB9jL8nxNPI0xHdNv0xHiBR0S5ASf/t6
MgGDuTLZGQoNVC2PyWcjhMz+t2h75BbCjf44u5CWYHJLa2cKIrnOFefRnS6O8giw
xj5KE6FOIy9xO3hhFxuBWMmf3k4GSJwD4mzyxdxDY+KcbmeSXU4UItscvIAufS9Z
mlvBN7k9CnWRjUist+y/cp+bTEkSd4uo5jFYhvrYiKG7zZwBPdzqhIqW8/QYdFHP
LM5Jl3jaJUQ3YFEq6sgtzqRPuz/ZnnnbcR2BWbooeQq4Qflz+HouTgj/5QrFCCit
YIWKdApnomw8OCkqPUhkTv9bhtTOF4vrWbs+3JaKKLgUpQBMMcg=
=NtyN
-----END PGP SIGNATURE-----
--- End Message ---
