Re: elfutils issues

To: Luciano Bello <luciano@debian.org>
Cc: Alexander Cherepanov <cherepan@mccme.ru>, debian-security@lists.debian.org, debian-user@lists.debian.org, team@security.debian.org
Subject: Re: elfutils issues
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 31 Dec 2014 14:00:15 +0100
Message-id: <[🔎] 20141231130015.GA31207@roeckx.be>
In-reply-to: <[🔎] 3900930.0n1URhHoe7@box>
References: <[🔎] 17100744.7nMcH3bRfP@box> <[🔎] 5499443E.4060008@mccme.ru> <[🔎] 3900930.0n1URhHoe7@box>

On Fri, Dec 26, 2014 at 02:02:31PM +0100, Luciano Bello wrote:
> > BTW, the situation with elfutils is somewhat similar, the bug report is
> > here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1170810
> 
> I'm reporting this issue to our elfutils maintainer to keep the track of it. Do 
> you know if there is a plan to get CVE id for this/these issue/s?

So there have been alot of fixes in upstream elfutils because of
the fuzzing, and at least some those should probably get a CVE.

One of the upstream statements:
| I think it is reasonable
| to just say that we are working towards making it safe to process arbitrary
| random ELF files and DWARF debuginfo data with elfutils by 0.162 (to be
| released on March). But that in general people should only use elfutils
| tools and libraries on files produced by a trusted toolchain for now.

Kurt

Reply to:

References:
- Testing needed for binutils security update
  - From: Luciano Bello <luciano@debian.org>
- Re: Testing needed for binutils security update
  - From: Alexander Cherepanov <cherepan@mccme.ru>
- Re: Testing needed for binutils security update
  - From: Luciano Bello <luciano@debian.org>

Prev by Date: Re: Jumbo frame Debian Wheezy.
Next by Date: Re: Continuing to use SysV; LTS [Re: Fwd: Re: Skipping fsck during boot with systemd?]
Previous by thread: Re: Testing needed for binutils security update
Next by thread: Jessie KDE desktop doesn't communicate with Java
Index(es):
- Date
- Thread