elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c. https://github.com/schsiung/fuzzer_issues/issues/1 https://sourceware.org/bugzilla/show_bug.cgi?id=31058 https://sourceware.org/elfutils/
This bug was discussed with the reporter by upstream developers and redhat secalert on Jan 9/10 (INC2833485). The conclusion then was that this was a normal bug and not a security issue. Crashes in the standalone utilities on untrustworthy inputs are not normally seen as security issues, because they don't cause privilege escalation. See our SECURITY policy at: https://sourceware.org/cgit/elfutils/tree/SECURITY
Note that the description "a NULL pointer dereference via the handle_verdef() function at readelf.c" doesn't match what is shown in https://github.com/schsiung/fuzzer_issues/issues/1 Which is an integer overflow which is only triggered when building with the undefined sanitizer (ubsan), but doesn't impact non-instrumented code (the verdef is detected as bogus and not processed further) . Also note it doesn't match the upstream elfutils bug referenced: https://sourceware.org/bugzilla/show_bug.cgi?id=31058 Which is an issue that only triggers when the code is compiled with the address sanitizer (asan), otherwise the code might just print an random global string.