Bug 2346059 (CVE-2025-1372) - CVE-2025-1372 elfutils: GNU elfutils eu-readelf readelf.c print_string_section buffer overflow
Summary: CVE-2025-1372 elfutils: GNU elfutils eu-readelf readelf.c print_string_sectio...
Keywords:
Status: NEW
Alias: CVE-2025-1372
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2346225 2346226
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-17 04:01 UTC by OSIDB Bzimport
Modified: 2025-02-18 18:01 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-17 04:01:17 UTC 
A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.
Comment 3 Mark Wielaard 2025-02-18 10:13:37 UTC 
Note that this CVE was filed without following the upstream SECURITY policy:
https://sourceware.org/cgit/elfutils/tree/SECURITY
This is NOT a security issue according to upstream policy.
It was filed against GNU as vendor but elfutils is not a GNU package.

Upstream request that people who report suspected security vulnerabilities
report them through the contacts in the SECURITY policy and not through non-affiliated CNAs.
Note You need to log in before you can comment on or make changes to this bug.