Headline
Ubuntu Security Notice USN-6322-1
Ubuntu Security Notice 6322-1 - It was discovered that elfutils incorrectly handled certain malformed files. If a user or automated system were tricked into processing a specially crafted file, elfutils could be made to crash or consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. It was discovered that elfutils incorrectly handled bounds checks in certain functions when processing malformed files. If a user or automated system were tricked into processing a specially crafted file, elfutils could be made to crash or consume resources, resulting in a denial of service.
==========================================================================Ubuntu Security Notice USN-6322-1August 30, 2023elfutils vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in elfutils.Software Description:- elfutils: collection of utilities to handle ELF objectsDetails:It was discovered that elfutils incorrectly handled certain malformedfiles. If a user or automated system were tricked into processing aspecially crafted file, elfutils could be made to crash or consumeresources, resulting in a denial of service. This issue only affectedUbuntu 14.04 LTS. (CVE-2018-16062, CVE-2018-16403, CVE-2018-18310,CVE-2018-18520, CVE-2018-18521, CVE-2019-7149, CVE-2019-7150,CVE-2019-7665)It was discovered that elfutils incorrectly handled bounds checks incertain functions when processing malformed files. If a user or automatedsystem were tricked into processing a specially crafted file, elfutilscould be made to crash or consume resources, resulting in a denial ofservice. (CVE-2020-21047, CVE-2021-33294)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:elfutils 0.176-1.1ubuntu0.1libasm1 0.176-1.1ubuntu0.1libdw1 0.176-1.1ubuntu0.1libelf1 0.176-1.1ubuntu0.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):elfutils 0.170-0.4ubuntu0.1+esm1libasm1 0.170-0.4ubuntu0.1+esm1libdw1 0.170-0.4ubuntu0.1+esm1libelf1 0.170-0.4ubuntu0.1+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):elfutils 0.165-3ubuntu1.2+esm1libasm1 0.165-3ubuntu1.2+esm1libdw1 0.165-3ubuntu1.2+esm1libelf1 0.165-3ubuntu1.2+esm1Ubuntu 14.04 LTS (Available with Ubuntu Pro):elfutils 0.158-0ubuntu5.3+esm1libasm1 0.158-0ubuntu5.3+esm1libdw1 0.158-0ubuntu5.3+esm1libelf1 0.158-0ubuntu5.3+esm1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6322-1CVE-2018-16062, CVE-2018-16403, CVE-2018-18310, CVE-2018-18520,CVE-2018-18521, CVE-2019-7149, CVE-2019-7150, CVE-2019-7665,CVE-2020-21047, CVE-2021-33294Package Information:https://launchpad.net/ubuntu/+source/elfutils/0.176-1.1ubuntu0.1Related news
The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.
In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.