{"affected":[{"ecosystem_specific":{"binaries":[{"dwarves":"1.22-150300.7.3.1","elfutils":"0.177-150300.11.3.1","libasm1":"0.177-150300.11.3.1","libdw1":"0.177-150300.11.3.1","libdwarves-devel":"1.22-150300.7.3.1","libdwarves1":"1.22-150300.7.3.1","libebl-plugins":"0.177-150300.11.3.1","libelf1":"0.177-150300.11.3.1"}]},"package":{"ecosystem":"openSUSE:Leap Micro 5.2","name":"dwarves","purl":"pkg:rpm/opensuse/dwarves&distro=openSUSE%20Leap%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.22-150300.7.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"dwarves":"1.22-150300.7.3.1","elfutils":"0.177-150300.11.3.1","libasm1":"0.177-150300.11.3.1","libdw1":"0.177-150300.11.3.1","libdwarves-devel":"1.22-150300.7.3.1","libdwarves1":"1.22-150300.7.3.1","libebl-plugins":"0.177-150300.11.3.1","libelf1":"0.177-150300.11.3.1"}]},"package":{"ecosystem":"openSUSE:Leap Micro 5.2","name":"elfutils","purl":"pkg:rpm/opensuse/elfutils&distro=openSUSE%20Leap%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.177-150300.11.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for dwarves and elfutils fixes the following issues:\n\nelfutils was updated to version 0.177 (jsc#SLE-24501):\n  \n- elfclassify: New tool to analyze ELF objects.\n- readelf: Print DW_AT_data_member_location as decimal offset.\n             Decode DW_AT_discr_list block attributes.\n- libdw: Add DW_AT_GNU_numerator, DW_AT_GNU_denominator and DW_AT_GNU_bias.\n- libdwelf: Add dwelf_elf_e_machine_string.\n            dwelf_elf_begin now only returns NULL when there is an error\n            reading or decompressing a file. If the file is not an ELF file\n            an ELF handle of type ELF_K_NONE is returned.\n- backends: Add support for C-SKY.\n  \nUpdate to version 0.176:\n\n- build: Add new --enable-install-elfh option.\n         Do NOT use this for system installs (it overrides glibc elf.h).\n- backends: riscv improved core file and return value location support.\n- Fixes:\n  - CVE-2019-7146, CVE-2019-7148, CVE-2019-7149, CVE-2019-7664 - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)\n  - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (CVE is a bit misleading, as this is not a bug in libelf as described) (bsc#1125007)\n  \nUpdate to version 0.175:\n  \n- readelf: Handle mutliple .debug_macro sections.\n           Recognize and parse GNU Property, NT_VERSION and\n           GNU Build Attribute ELF Notes.\n- strip: Handle SHT_GROUP correctly.\n         Add strip --reloc-debug-sections-only option.\n         Handle relocations against GNU compressed sections.\n- libdwelf: New function dwelf_elf_begin.\n- libcpu: Recognize bpf jump variants BPF_JLT, BPF_JLE, BPF_JSLT\n            and BPF_JSLE.\n    backends: RISCV handles ADD/SUB relocations.\n              Handle SHT_X86_64_UNWIND.\n  - CVE-2018-18521: arlib: Divide-by-zero vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)\n  - CVE-2018-18310: Invalid Address Read problem in dwfl_segment_report_module.c (bsc#1111973)\n  - CVE-2018-18520: eu-size: Bad handling of ar files inside are files (bsc#1112726)\n  \nUpdate to version 0.174:\n  \n- libelf, libdw and all tools now handle extended shnum and\n  shstrndx correctly.\n  \n- elfcompress: Don't rewrite input file if no section data needs\n               updating. Try harder to keep same file mode bits\n               (suid) on rewrite.\n- strip: Handle mixed (out of order) allocated/non-allocated sections.\n- unstrip: Handle SHT_GROUP sections.\n- backends: RISCV and M68K now have backend implementations to\n            generate CFI based backtraces.\n- Fixes:\n  - CVE-2018-16402: libelf: denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) Double-free crash in nm and readelf\n  - CVE-2018-16403: heap buffer overflow in readelf (bsc#1107067)\n  - CVE-2018-16062: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)\n    \nUpdate to version 0.173:\n  \n- More fixes for crashes and hangs found by afl-fuzz. In particular various\n  functions now detect and break infinite loops caused by bad DIE tree cycles.\n- readelf: Will now lookup the size and signedness of constant value types\n           to display them correctly (and not just how they were encoded).\n- libdw: New function dwarf_next_lines to read CU-less .debug_line data.\n         dwarf_begin_elf now accepts ELF files containing just .debug_line\n         or .debug_frame sections (which can be read without needing a DIE\n         tree from the .debug_info section).\n         Removed dwarf_getscn_info, which was never implemented.\n- backends: Handle BPF simple relocations.\n            The RISCV backends now handles ABI specific CFI and knows about\n            RISCV register types and names.\n  \nUpdate to version 0.172:\n  \n- Various bug fixes in libdw and eu-readelf dealing with bad DWARF5 data.\n  Thanks to running the afl fuzzer on eu-readelf and various testcases.\n  \nUpdate to version 0.171:\n  \n- DWARF5 and split dwarf, including GNU DebugFission, are supported now.\n  Data can be read from the new DWARF sections .debug_addr, .debug_line_str,\n  .debug_loclists, .debug_str_offsets and .debug_rnglists.  Plus the new\n  DWARF5 and GNU DebugFission encodings of the existing .debug sections.\n  Also in split DWARF .dwo (DWARF object) files.  This support is mostly\n  handled by existing functions (dwarf_getlocation*, dwarf_getsrclines,\n  dwarf_ranges, dwarf_form*, etc.) now returning the data from the new\n  sections and data formats.  But some new functions have been added\n  to more easily get information about skeleton and split compile units\n  (dwarf_get_units and dwarf_cu_info), handle new attribute data\n  (dwarf_getabbrevattr_data) and to keep references to Dwarf_Dies\n  that might come from different sections or files (dwarf_die_addr_die).\n- Not yet supported are .dwp (Dwarf Package) and .sup (Dwarf Supplementary)\n  files, the .debug_names index, the .debug_cu_index and .debug_tu_index\n  sections. Only a single .debug_info (and .debug_types) section are\n  currently handled.\n- readelf: Handle all new DWARF5 sections.\n           --debug-dump=info+ will show split unit DIEs when found.\n           --dwarf-skeleton can be used when inspecting a .dwo file.\n     Recognizes GNU locviews with --debug-dump=loc.\n- libdw: New functions dwarf_die_addr_die, dwarf_get_units,\n         dwarf_getabbrevattr_data and dwarf_cu_info.\n         libdw will now try to resolve the alt file on first use of\n         an alt attribute FORM when not set yet with dwarf_set_alt.\n         dwarf_aggregate_size() now works with multi-dimensional arrays.\n- libdwfl: Use process_vm_readv when available instead of ptrace.\n  backends: Add a RISC-V backend.\n  \n  There were various improvements to build on Windows.\n  The sha1 and md5 implementations have been removed, they weren't used.\n\nUpdate to version 0.170:\n\n- libdw: Added new DWARF5 attribute, tag, character encoding, language code,\n         calling convention, defaulted member function and macro constants\n         to dwarf.h.\n\t New functions dwarf_default_lower_bound and dwarf_line_file.\n  \t dwarf_peel_type now handles DWARF5 immutable, packed and shared tags.\n  \t dwarf_getmacros now handles DWARF5 .debug_macro sections.\n- strip: Add -R, --remove-section=SECTION and --keep-section=SECTION.\n- backends: The bpf disassembler is now always build on all platforms.\n\nUpdate to version 0.169:\n\n- backends: Add support for EM_PPC64 GNU_ATTRIBUTES.\n            Frame pointer unwinding fallback support for i386, x86_64, aarch64.\n- translations: Update Polish translation.\n  - CVE-2017-7611: elfutils: DoS (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033088)\n  - CVE-2017-7610: elflint: heap-based buffer overflow in check_group (bsc#1033087)\n  - CVE-2017-7609: memory allocation failure in __libelf_decompress (bsc#1033086)\n  - CVE-2017-7607: heap-based buffer overflow in handle_gnu_hashi (readelf.c) (bsc#1033084)\n  - CVE-2017-7608: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) (bsc#1033085)\n  - CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file (bsc#1033090)\n  - CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033089)\n- Don't make elfutils recommend elfutils-lang as elfutils-lang\n  already supplements elfutils.\n\ndwarves is shipped new in version 1.22 to provide tooling for use by the Linux Kernel BTF verification framework.\n","id":"SUSE-SU-2022:2614-2","modified":"2022-08-01T08:41:26Z","published":"2022-08-01T08:41:26Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20222614-2/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033084"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033085"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033086"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033087"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033088"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033089"},{"type":"REPORT","url":"https://bugzilla.suse.com/1033090"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082318"},{"type":"REPORT","url":"https://bugzilla.suse.com/1104264"},{"type":"REPORT","url":"https://bugzilla.suse.com/1106390"},{"type":"REPORT","url":"https://bugzilla.suse.com/1107066"},{"type":"REPORT","url":"https://bugzilla.suse.com/1107067"},{"type":"REPORT","url":"https://bugzilla.suse.com/1111973"},{"type":"REPORT","url":"https://bugzilla.suse.com/1112723"},{"type":"REPORT","url":"https://bugzilla.suse.com/1112726"},{"type":"REPORT","url":"https://bugzilla.suse.com/1123685"},{"type":"REPORT","url":"https://bugzilla.suse.com/1125007"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7607"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7608"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7609"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7610"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7611"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7612"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7613"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-16062"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-16402"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-16403"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-18310"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-18520"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-18521"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7146"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7148"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7149"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7150"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7664"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-7665"}],"related":["CVE-2017-7607","CVE-2017-7608","CVE-2017-7609","CVE-2017-7610","CVE-2017-7611","CVE-2017-7612","CVE-2017-7613","CVE-2018-16062","CVE-2018-16402","CVE-2018-16403","CVE-2018-18310","CVE-2018-18520","CVE-2018-18521","CVE-2019-7146","CVE-2019-7148","CVE-2019-7149","CVE-2019-7150","CVE-2019-7664","CVE-2019-7665"],"summary":"Security update for dwarves and elfutils","upstream":["CVE-2017-7607","CVE-2017-7608","CVE-2017-7609","CVE-2017-7610","CVE-2017-7611","CVE-2017-7612","CVE-2017-7613","CVE-2018-16062","CVE-2018-16402","CVE-2018-16403","CVE-2018-18310","CVE-2018-18520","CVE-2018-18521","CVE-2019-7146","CVE-2019-7148","CVE-2019-7149","CVE-2019-7150","CVE-2019-7664","CVE-2019-7665"]}