Bug 2265194 (CVE-2024-25260) - CVE-2024-25260 elfutils: global-buffer-overflow exists in the function ebl_machine_flag_name in eblmachineflagname.c
Summary: CVE-2024-25260 elfutils: global-buffer-overflow exists in the function ebl_ma...
Keywords:
Status: NEW
Alias: CVE-2024-25260
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2265195 2265196 2265197
Blocks: 2265193
TreeView+ depends on / blocked
 
Reported: 2024-02-20 20:47 UTC by Patrick Del Bello
Modified: 2024-03-14 19:40 UTC (History)
8 users (show)

Fixed In Version: elfutils 0.190
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference vulnerability in the elfutils library has been discovered. This vulnerability occurs within the handle_verdef() function in the readelf.c source file. A NULL pointer dereference typically happens when a program attempts to access memory using a pointer that is not pointing anywhere (i.e., it's NULL), leading to a crash or potentially exploitable behavior.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Patrick Del Bello 2024-02-20 20:47:27 UTC
elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.

https://github.com/schsiung/fuzzer_issues/issues/1
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
https://sourceware.org/elfutils/

Comment 2 Mark Wielaard 2024-02-20 21:12:05 UTC
This bug was discussed with the reporter by upstream developers and redhat secalert on Jan 9/10 (INC2833485).

The conclusion then was that this was a normal bug and not a security issue.

Crashes in the standalone utilities on untrustworthy
inputs are not normally seen as security issues, because they don't
cause privilege escalation. See our SECURITY policy at:
https://sourceware.org/cgit/elfutils/tree/SECURITY

Comment 3 Mark Wielaard 2024-02-21 09:28:05 UTC
Note that the description "a NULL pointer dereference via the handle_verdef() function at readelf.c" doesn't match what is shown in
https://github.com/schsiung/fuzzer_issues/issues/1
Which is an integer overflow which is only triggered when building with the undefined sanitizer (ubsan), but doesn't impact non-instrumented code (the verdef is detected as bogus and not processed further)
.
Also note it doesn't match the upstream elfutils bug referenced:
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
Which is an issue that only triggers when the code is compiled with the address sanitizer (asan), otherwise the code might just print an random global string.


Note You need to log in before you can comment on or make changes to this bug.