CVE-2019-7148

Publication date 29 January 2019

Last updated 24 July 2024


Ubuntu priority

Negligible

Why this priority?

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens."

Read the notes from the security team

Status

Package Ubuntu Release Status
elfutils 19.04 disco
Not affected
18.10 cosmic Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored

Notes


mdeslaur

this was disputed as not being a security issue, marking as ignored

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
elfutils

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H