Secure testing team - Mar 2006 - Integer overflow in applications parsing ELF headers

On Wed, 11 May 2005, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > Are there other applications inside Debian embedding BFD or parsing
ELF
> > binaries with their own code?
Is there more detailed information about this? The gentoo page doesn''t
have much. 

Additionally, the bug seems to say that the bdf binaries are affected,
but not everything that links with bfd.
> Here''s everything that build depends on binutils-dev:
>
> crash
crash uses libbfd (as listed), but it uses it via gdb, and gdb
provides it''s own bdf, so as long as gdb is fixed, crash is fine.
However crash provides its own gdb, so is directly affected. I''ve
spoken with the upstream authors about this and they are working on
understanding the problem and if it affects crash. Hold off on
submitting a bug on this while I sort this out - I''ll file a bug if it
is affected.
> lcrash
I''ve spoken to the upstream author about this, lcrash only uses libbdf
for some disassembly work, so it seems pretty outside case scenario,
but again they are investigating the relative vulnerability and I will
file a bug on this if it is deemed vulnerable.
> "Note that building Debian packages which depend on the shared libbfd
is
> Not Allowed."  *sigh*!
I see this in the binutils-dev package description, however I dont see
it anywhere else, not in the policy, not in lintian/linda checks, not
on any mailing lists.... I see a couple of people on debian-devel
asking what the deal is with this, but no informative responses. Does
anyone know *why* this is and why this isn''t documented somewhere more
visible?

micah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050511/12894f19/attachment.pgp

Andrew Pollock wrote:
> > Are there other applications inside Debian embedding BFD or parsing
ELF
> > binaries with their own code?
>
> Potentially elfsign.
You can check with the crafted test binary in this Gentoo bug:
http://bugs.gentoo.org/show_bug.cgi?id=91398 

Cheers,
        Moritz

On Wed, 11 May 2005, Moritz Muehlenhoff wrote:
> Are there other applications inside Debian embedding BFD or parsing ELF
> binaries with their own code?
Possibly chpax and paxctl.

Stefan

On Wed, May 11, 2005 at 01:05:01PM +0200, Moritz Muehlenhoff
wrote:
> Hi,
> It''s been discovered that a wide range of applications parsing ELF
segment
> headers are vulnerable to an integer overflow when allocating memory for
> segment headers. Applications already known to be affected are:
> binutils
> elfutils
> gdb
> ht (already filed a minute ago)
> prelink
> 
> Are there other applications inside Debian embedding BFD or parsing ELF
> binaries with their own code?
> 
Potentially elfsign.

regards

Andrew

On Wednesday 11 May 2005 15:54, Stefan_Fritsch@ph.tum.de
wrote:
> > Are there other applications inside Debian embedding BFD or
> > parsing ELF binaries with their own code?
>
> Possibly chpax and paxctl.
These two don''t seem to be affected. At least they don''t
segfault with
the example binary from the gentoo bug.

Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050511/9af28f2e/attachment.pgp

Moritz Muehlenhoff wrote:
> It''s been discovered that a wide range of applications parsing ELF
segment
> headers are vulnerable to an integer overflow when allocating memory for
> segment headers. Applications already known to be affected are:
> binutils
> elfutils
> gdb
> ht (already filed a minute ago)
> prelink
> 
> Are there other applications inside Debian embedding BFD or parsing ELF
> binaries with their own code?
Newer versions of rpm than the one in Debian contain a copy of elfutils,
haven''t checked it.

Here''s everything that build depends on binutils-dev:

acl2
alleyoop
axiom
crash
fenris
gccchecker
gcl
gclcvs
ggcov
insight
kdebindings
kdesdk
kmd
ksymoops
lcrash
ltrace
lush
maxima
memprof
mol
mpatrol
nitpic
nmap
oprofile
oprofile-source
kernel-patch-kdb

"Note that building Debian packages which depend on the shared libbfd is
Not Allowed."  *sigh*!

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050511/1549b48f/attachment.pgp

Joey Hess wrote:
> > binutils
> > elfutils
> > gdb
> > ht (already filed a minute ago)
> > prelink
I''ve filed bugs for all of these, except elfutils which is non-free and
not
part of Debian (I must have mistaken it with another program).
> Here''s everything that build depends on binutils-dev:
> 
> acl2
> alleyoop
> axiom
> crash
> fenris
> gccchecker
> gcl
> gclcvs
> ggcov
> insight
> kdebindings
> kdesdk
> kmd
> ksymoops
> lcrash
> ltrace
> lush
> maxima
> memprof
> mol
> mpatrol
> nitpic
> nmap
> oprofile
> oprofile-source
> kernel-patch-kdb
> 
> "Note that building Debian packages which depend on the shared libbfd
is
> Not Allowed."  *sigh*!
Fun, I''ll start with acl2, alleyoop, axiom, crash and fenris.

Cheers,
        Moritz

Hi,
It''s been discovered that a wide range of applications parsing ELF
segment
headers are vulnerable to an integer overflow when allocating memory for
segment headers. Applications already known to be affected are:
binutils
elfutils
gdb
ht (already filed a minute ago)
prelink

Are there other applications inside Debian embedding BFD or parsing ELF
binaries with their own code?

Cheers,
        Moritz