Bug 215085 - devel/libdwarf: Update to 20161124 (Fixes many security vulnerabilities)
Summary: devel/libdwarf: Update to 20161124 (Fixes many security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Some People
Assignee: Mark Felder
URL: https://lwn.net/Articles/708092/
Keywords: patch, security
Depends on:
Blocks: 215086
  Show dependency treegraph
Reported: 2016-12-06 04:50 UTC by Pedro F. Giffuni
Modified: 2017-01-09 17:35 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (joerg)
feld: merge-quarterly+

Port update (3.52 KB, patch)
2016-12-06 04:50 UTC, Pedro F. Giffuni
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro F. Giffuni freebsd_committer 2016-12-06 04:50:11 UTC
Created attachment 177706 [details]
Port update

-Update URL
-Update to latest version.

Apparently previous versions have a huge amount of vulnerabilities:

CVE-ID  : CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030
          CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035
          CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043
          CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679
          CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276
          CVE-2016-9480 CVE-2016-9558

More information on:
Comment 1 Jason Unovitch freebsd_committer 2016-12-28 03:09:25 UTC
Should the CVE's be documented against dwarfdump or libdwarf? It seems like the binary in dwarfdump would be the vector.

Look at the referenced source they are all "won't fix" bugs in RHEL 7's security advisories and low priority. We can look at applying the batch of updates in one go and followup with VuXML when that happens. Ping for joerg@ again for his expertise. If need be we are at maintainer timeout.
Comment 2 Pedro F. Giffuni freebsd_committer 2016-12-28 05:45:04 UTC
(In reply to Jason Unovitch from comment #1)

The vulnerabilities are in libdwarf; dwardump only reads values (I think) so it would not be a reasonable target.

IMHO, while the number of vulnerabilities is impressive, they have little chance of being relevant: an attack would have to use a carefully crafted executable that is expected to be debugged with this libdwarf. Luckily, for base we use the library from the Elftoolchain project and we don't have any plans to ship this one due to the license.
Comment 3 commit-hook freebsd_committer 2017-01-09 17:32:26 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 17:32:04 UTC 2017
New revision: 430987
URL: https://svnweb.freebsd.org/changeset/ports/430987

  Document libdwarf vulnerabilities

  Security:	CVE-2016-5027 CVE-2016-5028 CVE-2016-5029 CVE-2016-5030
  Security:	CVE-2016-5031 CVE-2016-5032 CVE-2016-5033 CVE-2016-5035
  Security:	CVE-2016-5037 CVE-2016-5040 CVE-2016-5041 CVE-2016-5043
  Security:	CVE-2016-5044 CVE-2016-7510 CVE-2016-7511 CVE-2016-8679
  Security:	CVE-2016-8680 CVE-2016-8681 CVE-2016-9275 CVE-2016-9276
  Security:	CVE-2016-9480 CVE-2016-9558

  PR:		215085

Comment 4 commit-hook freebsd_committer 2017-01-09 17:34:30 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 17:33:51 UTC 2017
New revision: 430988
URL: https://svnweb.freebsd.org/changeset/ports/430988

  devel/libdwarf: Update and fix vulnerabilties

  -Update URL

  PR:		215085
  Approved by:	maintainer timeout
  MFH:		2017Q1

Comment 5 commit-hook freebsd_committer 2017-01-09 17:35:33 UTC
A commit references this bug:

Author: feld
Date: Mon Jan  9 17:35:23 UTC 2017
New revision: 430989
URL: https://svnweb.freebsd.org/changeset/ports/430989

  MFH: r430988

  devel/libdwarf: Update and fix vulnerabilties

  -Update URL

  PR:		215085
  Approved by:	ports-secteam (with hat)

_U  branches/2017Q1/