Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc. Reference: https://github.com/NixOS/patchelf/pull/419
Created patchelf tracking bugs for this issue: Affects: epel-all [bug 2158360] Affects: fedora-all [bug 2158361]
This CVE seems to be fixed in versions 0.16.0 or greater. Possibly affected releases are: Fedora 37 patchelf-0.15.0-1.fc37 Fedora 36 patchelf-0.13-2.fc36 Fedora EPEL 9 patchelf-0.15.0-1.el9 Fedora EPEL 8 patchelf-0.12-1.el8 Fedora EPEL 7 patchelf-0.12-1.el7 However, after looking through recent commits there are also these potential security patches (without CVE numbers): https://github.com/NixOS/patchelf/commit/e9d339465963968ea98cc98a5c218ccfef9b74f3 (not included in the latest release) https://github.com/NixOS/patchelf/commit/bf62fda4ecab0dc44a0b823517d1cf22633adc25 (fixed in 0.14 and later) https://github.com/NixOS/patchelf/commit/fa8896a5a8651dd399f0ad4dfbabb3df9767d847 (fixed in 0.13 and later) One potential issue is that C++17 is required from 0.14 or later, which may cause issues in EPEL7+8. The patches do not apply cleanly to older versions as the code has substantially changed. Perhaps the cleanest is to go to to 0.17.0 everywhere, and include the patch not included in the latest release (I'll ask upstream to make a new release with this). Probably Developer Toolset is necessary for EPEL7+8.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.