Bug 1625050 (CVE-2018-16402)

Summary: CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bmcclain, dbaker, dblechte, dfediuck, drepper, eedri, fche, jakub, jokerman, kanderso, mcermak, me, mgoldboi, michal.skrivanek, mjw, mjw, mnewsome, ohudlick, sbonazzo, sherold, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:19:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1625051, 1625052, 1625399, 1625400, 1625401, 1822312    
Bug Blocks: 1625054    

Description Sam Fowler 2018-09-04 04:26:47 UTC 
Elfutils through version 0.173 is vulnerable to a double-free in the libelf/elf_end.c:elf_end() function due to the decompression of section data multiple times.. An attacker could exploit this to cause a crash or possibly have unspecified other impact via a crafted ELF.


Upstream Bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=23528


Upstream Patch:

https://sourceware.org/git/?p=elfutils.git;a=patch;h=56b18521fb8d46d40fc090c0de9d11a08bc982fa
Comment 1 Sam Fowler 2018-09-04 04:27:37 UTC 
Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1625051]
Comment 4 Scott Gayou 2018-09-04 19:46:04 UTC 
Reproduced on 7+ quite easily. Did not reproduce on 5/6. 6 was running 0.164.
Comment 6 Mark Wielaard 2018-09-04 20:03:42 UTC 
(In reply to Scott Gayou from comment #4)
> Reproduced on 7+ quite easily. Did not reproduce on 5/6. 6 was running 0.164.

That makes sense, support for compressed ELF sections was introduced in elfutils 0.165.
Comment 9 errata-xmlrpc 2019-08-06 12:27:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2197 https://access.redhat.com/errata/RHSA-2019:2197
Comment 10 Product Security DevOps Team 2019-08-06 13:19:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16402
Comment 12 errata-xmlrpc 2020-04-14 17:41:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1471 https://access.redhat.com/errata/RHSA-2020:1471