SB2018123005 - Arch Linux update for elfutils
Published: December 30, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Segmentation fault (CVE-ID: CVE-2018-18310)
The vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists in the dwfl_segment_report_module.c source code file in the libdwfl library due to improper handling of Executable and Linkable Format (ELF) files. A local attacker can send an ELF file that submits malicious input, execute the eu-stack command, trigger a segmentation fault and cause the affected application to crash.
2) Null pointer dereference (CVE-ID: CVE-2018-18520)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to due to improper handling of Executable and Linkable Format (ELF) files by the elf_end function, as defined in the size.c source code file. A remote attacker can trick the victim into opening a specially crafted ELF file that submits malicious input, trigger NULL pointer dereference and cause application to crash.
3) Divide by zero (CVE-ID: CVE-2018-18521)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to due to improper handling of Executable and Linkable Format (ELF) files by the arlib_add_symbols function, as defined in the arlib.c source code file. A remote attacker can trick the victim into opening a specially crafted ELF file that submits malicious input, trigger a divide-by-zero condition and cause application to crash.
Remediation
Install update from vendor's website.