121 lines
9.0 KiB
XML
121 lines
9.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for elfutils is now available for openEuler-20.03-LTS-SP3</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2023-1445</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2023-07-29</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2023-07-29</InitialReleaseDate>
|
|
<CurrentReleaseDate>2023-07-29</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2023-07-29</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">elfutils security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for elfutils is now available for openEuler-20.03-LTS-SP3.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Elfutils is a collection of utilities, including stack (to show backtraces), nm (for listing symbols from object files), size (for listing the section sizes of an object or archive file), strip (for discarding symbols), elflint (to check for well-formed ELF files) and elfcompress (to compress or decompress ELF sections). Also included are helper libraries which implement DWARF, ELF, and machine-specific ELF handling and process introspection. It also provides a DSO which allows reading and writing ELF files on a high level. Third party programs depend on this package to read internals of ELF files. Yama sysctl setting to enable default attach scope settings enabling programs to use ptrace attach, access to /proc/PID/{mem,personality,stack,syscall}, and the syscalls process_vm_readv and process_vm_writev which are used for interprocess services, communication and introspection (like synchronisation, signaling, debugging, tracing and profiling) of processes.
|
|
|
|
Security Fix(es):
|
|
|
|
In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.(CVE-2021-33294)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for elfutils is now available for openEuler-20.03-LTS-SP3.
|
|
|
|
openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Low</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">elfutils</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1445</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-33294</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-33294</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="aarch64">
|
|
<FullProductName ProductID="elfutils-debuginfod-client-devel-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfod-client-devel-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debugsource-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debugsource-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfo-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfo-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-devel-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-devel-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-libelf-devel-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-libelf-devel-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-libelf-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-libelf-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-libs-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-libs-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-help-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-help-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfod-client-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfod-client-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfod-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfod-0.180-14.oe1.aarch64.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="elfutils-default-yama-scope-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-default-yama-scope-0.180-14.oe1.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="elfutils-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-0.180-14.oe1.src.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="x86_64">
|
|
<FullProductName ProductID="elfutils-libelf-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-libelf-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-libelf-devel-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-libelf-devel-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfod-client-devel-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfod-client-devel-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debugsource-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debugsource-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfod-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfod-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-help-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-help-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-devel-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-devel-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-libs-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-libs-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfo-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfo-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="elfutils-debuginfod-client-0.180-14" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">elfutils-debuginfod-client-0.180-14.oe1.x86_64.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-07-29</ReleaseDate>
|
|
<CVE>CVE-2021-33294</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Low</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>2.5</BaseScore>
|
|
<Vector>AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>elfutils security update</Description>
|
|
<DATE>2023-07-29</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1445</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |