Created elfutils tracking bugs for this issue:

Affects: fedora-all [bug 1559243]

Note that this is only used by eu-readelf and eu-elflint, it isn't exposed through any library.

It isn't in upstream 0.170, but can though a backport of upstream commit:

commit 88f3d2daa107b09fdba376a82bce7ed534c93645
Author: Mark Wielaard <mark@klomp.org>
Date:   Sat Feb 17 00:23:19 2018 +0100

    libelf: Sync elf.h from glibc.
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Which is part of elfutils-0.170-elf_sync.patch which was added in Fedora in 0.170-9.

ISTM the CVSS score overstates the severity of this bug.  I cannot think of a way in which confidentiality or availability is harmed by this, so 3.3=low seems to be more accurate.

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Given that a fix is already in upstream elfutils, any objections to CLOSED/NEXTRELEASE for the fedora BZ?

I lowered the CVSSv3 score. Only Availability is affected, because you could make the program crash in case ebl_dynamic_tag_name returns a pointer to unmapped memory. It could also print other strings or values found in the process memory, but there is no way for an attacker to extract those strings, so I didn't put C:L.

Correction to previous comment: depending on how the programs gets compiled, the ebl_dynamic_tag_name function could either return a valid or an invalid pointer. In the first case you would just see a wrong string when displaying ELF info, in the second case you would get a crash. Thus I:L, A:L in the CVSSv3 score.

Statement:

This issue did not affect the versions of elfutils as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include the vulnerable commit.

This issue did not affect the versions of elfutils as shipped with Red Hat Developer Toolset 6 and 7 as they did not include the vulnerable commit.