elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c. https://github.com/schsiung/fuzzer_issues/issues/1 https://sourceware.org/bugzilla/show_bug.cgi?id=31058 https://sourceware.org/elfutils/
This bug was discussed with the reporter by upstream developers and redhat secalert on Jan 9/10 (INC2833485). The conclusion then was that this was a normal bug and not a security issue. Crashes in the standalone utilities on untrustworthy inputs are not normally seen as security issues, because they don't cause privilege escalation. See our SECURITY policy at: https://sourceware.org/cgit/elfutils/tree/SECURITY
Note that the description "a NULL pointer dereference via the handle_verdef() function at readelf.c" doesn't match what is shown in https://github.com/schsiung/fuzzer_issues/issues/1 Which is an integer overflow which is only triggered when building with the undefined sanitizer (ubsan), but doesn't impact non-instrumented code (the verdef is detected as bogus and not processed further) . Also note it doesn't match the upstream elfutils bug referenced: https://sourceware.org/bugzilla/show_bug.cgi?id=31058 Which is an issue that only triggers when the code is compiled with the address sanitizer (asan), otherwise the code might just print an random global string.
Closing as this isn't a security issue according to the elfutils security policy: https://sourceware.org/cgit/elfutils/tree/SECURITY