Created attachment 177706 [details] Port update -Update URL -Update to latest version. -Add LICENSE. Apparently previous versions have a huge amount of vulnerabilities: CVE-ID : CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030 CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035 CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043 CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679 CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276 CVE-2016-9480 CVE-2016-9558 More information on: https://lwn.net/Articles/708092/
Should the CVE's be documented against dwarfdump or libdwarf? It seems like the binary in dwarfdump would be the vector. Look at the referenced source they are all "won't fix" bugs in RHEL 7's security advisories and low priority. We can look at applying the batch of updates in one go and followup with VuXML when that happens. Ping for joerg@ again for his expertise. If need be we are at maintainer timeout.
(In reply to Jason Unovitch from comment #1) The vulnerabilities are in libdwarf; dwardump only reads values (I think) so it would not be a reasonable target. IMHO, while the number of vulnerabilities is impressive, they have little chance of being relevant: an attack would have to use a carefully crafted executable that is expected to be debugged with this libdwarf. Luckily, for base we use the library from the Elftoolchain project and we don't have any plans to ship this one due to the license.
A commit references this bug: Author: feld Date: Mon Jan 9 17:32:04 UTC 2017 New revision: 430987 URL: https://svnweb.freebsd.org/changeset/ports/430987 Log: Document libdwarf vulnerabilities Security: CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030 Security: CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035 Security: CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043 Security: CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679 Security: CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276 Security: CVE-2016-9480 CVE-2016-9558 PR: 215085 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: feld Date: Mon Jan 9 17:33:51 UTC 2017 New revision: 430988 URL: https://svnweb.freebsd.org/changeset/ports/430988 Log: devel/libdwarf: Update and fix vulnerabilties -Update URL -Add LICENSE PR: 215085 Approved by: maintainer timeout MFH: 2017Q1 Changes: head/devel/libdwarf/Makefile head/devel/libdwarf/distinfo head/devel/libdwarf/files/ head/devel/libdwarf/pkg-descr head/devel/libdwarf/pkg-plist
A commit references this bug: Author: feld Date: Mon Jan 9 17:35:23 UTC 2017 New revision: 430989 URL: https://svnweb.freebsd.org/changeset/ports/430989 Log: MFH: r430988 devel/libdwarf: Update and fix vulnerabilties -Update URL -Add LICENSE PR: 215085 Approved by: ports-secteam (with hat) Changes: _U branches/2017Q1/ branches/2017Q1/devel/libdwarf/Makefile branches/2017Q1/devel/libdwarf/distinfo branches/2017Q1/devel/libdwarf/files/ branches/2017Q1/devel/libdwarf/pkg-descr branches/2017Q1/devel/libdwarf/pkg-plist