Bug 215085

Summary: devel/libdwarf: Update to 20161124 (Fixes many security vulnerabilities)
Product: Ports & Packages Reporter: Pedro F. Giffuni <pfg>
Component: Individual Port(s)Assignee: Mark Felder <feld>
Status: Closed FIXED    
Severity: Affects Some People CC: feld, junovitch, pfg, ports-secteam
Priority: Normal Keywords: patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (joerg)
feld: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://lwn.net/Articles/708092/
Bug Depends on:    
Bug Blocks: 215086    
Attachments:
Description Flags
Port update none

Description Pedro F. Giffuni freebsd_committer freebsd_triage 2016-12-06 04:50:11 UTC
Created attachment 177706 [details]
Port update

-Update URL
-Update to latest version.
-Add LICENSE.

Apparently previous versions have a huge amount of vulnerabilities:

CVE-ID  : CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030
          CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035
          CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043
          CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679
          CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276
          CVE-2016-9480 CVE-2016-9558

More information on:
https://lwn.net/Articles/708092/
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2016-12-28 03:09:25 UTC
Should the CVE's be documented against dwarfdump or libdwarf? It seems like the binary in dwarfdump would be the vector.

Look at the referenced source they are all "won't fix" bugs in RHEL 7's security advisories and low priority. We can look at applying the batch of updates in one go and followup with VuXML when that happens. Ping for joerg@ again for his expertise. If need be we are at maintainer timeout.
Comment 2 Pedro F. Giffuni freebsd_committer freebsd_triage 2016-12-28 05:45:04 UTC
(In reply to Jason Unovitch from comment #1)

The vulnerabilities are in libdwarf; dwardump only reads values (I think) so it would not be a reasonable target.

IMHO, while the number of vulnerabilities is impressive, they have little chance of being relevant: an attack would have to use a carefully crafted executable that is expected to be debugged with this libdwarf. Luckily, for base we use the library from the Elftoolchain project and we don't have any plans to ship this one due to the license.
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-01-09 17:32:26 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 17:32:04 UTC 2017
New revision: 430987
URL: https://svnweb.freebsd.org/changeset/ports/430987

Log:
  Document libdwarf vulnerabilities

  Security:	CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030
  Security:	CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035
  Security:	CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043
  Security:	CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679
  Security:	CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276
  Security:	CVE-2016-9480 CVE-2016-9558

  PR:		215085

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-01-09 17:34:30 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 17:33:51 UTC 2017
New revision: 430988
URL: https://svnweb.freebsd.org/changeset/ports/430988

Log:
  devel/libdwarf: Update and fix vulnerabilties

  -Update URL
  -Add LICENSE

  PR:		215085
  Approved by:	maintainer timeout
  MFH:		2017Q1

Changes:
  head/devel/libdwarf/Makefile
  head/devel/libdwarf/distinfo
  head/devel/libdwarf/files/
  head/devel/libdwarf/pkg-descr
  head/devel/libdwarf/pkg-plist
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-01-09 17:35:33 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 17:35:23 UTC 2017
New revision: 430989
URL: https://svnweb.freebsd.org/changeset/ports/430989

Log:
  MFH: r430988

  devel/libdwarf: Update and fix vulnerabilties

  -Update URL
  -Add LICENSE

  PR:		215085
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/devel/libdwarf/Makefile
  branches/2017Q1/devel/libdwarf/distinfo
  branches/2017Q1/devel/libdwarf/files/
  branches/2017Q1/devel/libdwarf/pkg-descr
  branches/2017Q1/devel/libdwarf/pkg-plist