Debian 10229 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-84-1 gnutls26 security update
ELA-85-1 elfutils security update

Debian GNU/Linux 8 LTS:
DLA 1688-1: waagent update
DLA 1689-1: elfutils security update



ELA-84-1 gnutls26 security update

Package: gnutls26
Version: 2.12.20-8+deb7u6
Related CVE: CVE-2017-7869 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337
GNUTLS-SA-2017-2: CVE-2017-5335, CVE-2017-5336, CVE-2017-5337

It was found that decoding a specially crafted OpenPGP certificate could
lead to heap and stack overflows. This may cause a denial-of-service
(out-of-memory error and crash) or lead to other unspecified impact by
remote attackers. This affects only applications which utilize the OpenPGP
certificate functionality of GnuTLS.

CVE-2017-7869

It was found that decoding a specially crafted OpenPGP certificate could
lead to (A) an integer overflow, resulting in an invalid memory write, (B)
a null pointer dereference resulting in a server crash, and (C) a large
allocation, resulting in a server out-of-memory condition. These affect
only applications which utilize the OpenPGP certificate functionality of
GnuTLS.
For Debian 7 Wheezy, these problems have been fixed in version 2.12.20-8+deb7u6.

We recommend that you upgrade your gnutls26 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-85-1 elfutils security update

Package: elfutils
Version: 0.152-1+wheezy2
Related CVE: CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-16062 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7149 CVE-2019-7150 CVE-2019-7665
Several issues in elfutils, a collection of utilities to handle ELF objects, have been found either by fuzzing or by using an AddressSanitizer.

CVE-2019-7665 Due to a heap-buffer-overflow problem in function elf32_xlatetom() a crafted ELF input can cause segmentation faults.

CVE-2019-7150 Add sanity check for partial core file dynamic data read.

CVE-2019-7149 Due to a heap-buffer-overflow problem in function read_srclines() a crafted ELF input can cause segmentation faults.

CVE-2018-18521 By using a crafted ELF file, containing a zero sh_entsize, a divide-by-zero vulnerability could allow remote attackers to cause a denial of service (application crash).

CVE-2018-18520 By fuzzing an Invalid Address Deference problem in function elf_end has been found.

CVE-2018-18310 By fuzzing an Invalid Address Read problem in eu-stack has been found.

CVE-2018-16062 By using an AddressSanitizer a heap-buffer-overflow has been found.

CVE-2017-7613 By using fuzzing it was found that an allocation failure was not handled properly.

CVE-2017-7612 By using a crafted ELF file, containing an invalid sh_entsize, a remote attackers could cause a denial of service (application crash).

CVE-2017-7611 By using a crafted ELF file a remote attackers could cause a denial of service (application crash).

CVE-2017-7610 By using a crafted ELF file a remote attackers could cause a denial of service (application crash).

CVE-2017-7608 By fuzzing a heap based buffer overflow has been detected.

For Debian 7 Wheezy, these problems have been fixed in version 0.152-1+wheezy2.

We recommend that you upgrade your elfutils packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/


DLA 1688-1: waagent update

Package : waagent
Version : 2.2.18-3~deb8u1

A newer version of waagent is needed for several features of the Azure
platform.

For Debian 8 "Jessie", this problem has been fixed in version
2.2.18-3~deb8u1.

We recommend that you upgrade your waagent packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1689-1: elfutils security update




Package : elfutils
Version : 0.159-4.2+deb8u1
CVE ID : CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612
CVE-2017-7613 CVE-2018-16062 CVE-2018-18310 CVE-2018-18520
CVE-2018-18521 CVE-2019-7149 CVE-2019-7150 CVE-2019-7665


Several issues in elfutils, a collection of utilities to handle ELF
objects, have been found either by fuzzing or by using an
AddressSanitizer.

CVE-2019-7665
Due to a heap-buffer-overflow problem in function elf32_xlatetom()
a crafted ELF input can cause segmentation faults.

CVE-2019-7150
Add sanity check for partial core file dynamic data read.

CVE-2019-7149
Due to a heap-buffer-overflow problem in function read_srclines()
a crafted ELF input can cause segmentation faults.

CVE-2018-18521
By using a crafted ELF file, containing a zero sh_entsize, a
divide-by-zero vulnerability could allow remote attackers to
cause a denial of service (application crash).

CVE-2018-18520
By fuzzing an Invalid Address Deference problem in function elf_end
has been found.

CVE-2018-18310
By fuzzing an Invalid Address Read problem in eu-stack has been
found.

CVE-2018-16062
By using an AddressSanitizer a heap-buffer-overflow has been found.

CVE-2017-7613
By using fuzzing it was found that an allocation failure was not
handled properly.

CVE-2017-7612
By using a crafted ELF file, containing an invalid sh_entsize, a
remote attackers could cause a denial of service (application crash).

CVE-2017-7611
By using a crafted ELF file a remote attackers could cause a denial
of service (application crash).

CVE-2017-7610
By using a crafted ELF file a remote attackers could cause a denial
of service (application crash).

CVE-2017-7608
By fuzzing a heap based buffer overflow has been detected.


For Debian 8 "Jessie", these problems have been fixed in version
0.159-4.2+deb8u1.

We recommend that you upgrade your elfutils packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS