Bug 2346055 (CVE-2025-1371)

Summary: CVE-2025-1371 elfutils: GNU elfutils eu-read readelf.c handle_dynamic_symtab null pointer dereference
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amerey, mjw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GNU elfutils. This vulnerability allows a NULL pointer dereference via the handle_dynamic_symtab function in readelf.c.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-05-30 14:20:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2346227, 2346228    
Bug Blocks:    

Description OSIDB Bzimport 2025-02-17 03:01:13 UTC 
A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.
Comment 2 Mark Wielaard 2025-02-18 10:12:30 UTC 
Note that this CVE was filed without following the upstream SECURITY policy:
https://sourceware.org/cgit/elfutils/tree/SECURITY
This is NOT a security issue according to upstream policy.
It was filed against GNU as vendor but elfutils is not a GNU package.

Upstream request that people who report suspected security vulnerabilities
report them through the contacts in the SECURITY policy and not through non-affiliated CNAs.