CVE-2014-0172 | Vulnerability Database | Aqua Security

Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.

Affected Software

Name	Vendor	Start Version	End Version
Elfutils	Elfutils_project	0.153 (including)	0.153 (including)
Elfutils	Elfutils_project	0.154 (including)	0.154 (including)
Elfutils	Elfutils_project	0.155 (including)	0.155 (including)
Elfutils	Elfutils_project	0.156 (including)	0.156 (including)
Elfutils	Elfutils_project	0.157 (including)	0.157 (including)
Elfutils	Elfutils_project	0.158 (including)	0.158 (including)
Red Hat Enterprise Linux 7	RedHat	elfutils-0:0.160-1.el7	*
Elfutils	Ubuntu	devel	*
Elfutils	Ubuntu	esm-infra-legacy/trusty	*
Elfutils	Ubuntu	quantal	*
Elfutils	Ubuntu	saucy	*
Elfutils	Ubuntu	trusty	*
Elfutils	Ubuntu	trusty/esm	*

References

http://seclists.org/oss-sec/2014/q2/54
http://www.securityfocus.com/bid/66714
http://www.ubuntu.com/usn/USN-2188-1
https://bugzilla.redhat.com/show_bug.cgi?id=1085663
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-April/003921.html
https://security.gentoo.org/glsa/201612-32
http://seclists.org/oss-sec/2014/q2/54
http://www.securityfocus.com/bid/66714
http://www.ubuntu.com/usn/USN-2188-1
https://bugzilla.redhat.com/show_bug.cgi?id=1085663
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-April/003921.html
https://security.gentoo.org/glsa/201612-32

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-0172
CWE	https://cwe.mitre.org/data/definitions/189.html