Re: elfutils issues
On Fri, Dec 26, 2014 at 02:02:31PM +0100, Luciano Bello wrote:
> > BTW, the situation with elfutils is somewhat similar, the bug report is
> > here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1170810
> I'm reporting this issue to our elfutils maintainer to keep the track of it. Do
> you know if there is a plan to get CVE id for this/these issue/s?
So there have been alot of fixes in upstream elfutils because of
the fuzzing, and at least some those should probably get a CVE.
One of the upstream statements:
| I think it is reasonable
| to just say that we are working towards making it safe to process arbitrary
| random ELF files and DWARF debuginfo data with elfutils by 0.162 (to be
| released on March). But that in general people should only use elfutils
| tools and libraries on files produced by a trusted toolchain for now.