An update for elfutils is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1177 Final 1.0 1.0 2025-02-21 Initial 2025-02-21 2025-02-21 openEuler SA Tool V1.0 2025-02-21 elfutils security update An update for elfutils is now available for openEuler-22.03-LTS-SP4 Elfutils is a collection of utilities, including stack (to show backtraces), nm (for listing symbols from object files), size (for listing the section sizes of an object or archive file), strip (for discarding symbols), readelf (to see the raw ELF file structures), elflint (to check for well-formed ELF files) and elfcompress (to compress or decompress ELF sections). Also included are helper libraries which implement DWARF, ELF, and machine-specific ELF handling and process introspection. It also provides a DSO which allows reading and writing ELF files on a high level. Third party programs depend on this package to read internals of ELF files. Yama sysctl setting to enable default attach scope settings enabling programs to use ptrace attach, access to /proc/PID/{mem,personality,stack,syscall}, and the syscalls process_vm_readv and process_vm_writev which are used for interprocess services, communication and introspection (like synchronisation, signaling, debugging, tracing and profiling) of processes. Security Fix(es): A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.(CVE-2025-1352) A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.(CVE-2025-1372) A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.(CVE-2025-1376) A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.(CVE-2025-1377) An update for elfutils is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium elfutils https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1177 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1352 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1372 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1376 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1377 https://nvd.nist.gov/vuln/detail/CVE-2025-1352 https://nvd.nist.gov/vuln/detail/CVE-2025-1372 https://nvd.nist.gov/vuln/detail/CVE-2025-1376 https://nvd.nist.gov/vuln/detail/CVE-2025-1377 openEuler-22.03-LTS-SP4 elfutils-0.185-20.oe2203sp4.aarch64.rpm elfutils-debuginfo-0.185-20.oe2203sp4.aarch64.rpm elfutils-debuginfod-0.185-20.oe2203sp4.aarch64.rpm elfutils-debuginfod-client-0.185-20.oe2203sp4.aarch64.rpm elfutils-debuginfod-client-devel-0.185-20.oe2203sp4.aarch64.rpm elfutils-debugsource-0.185-20.oe2203sp4.aarch64.rpm elfutils-devel-0.185-20.oe2203sp4.aarch64.rpm elfutils-extra-0.185-20.oe2203sp4.aarch64.rpm elfutils-help-0.185-20.oe2203sp4.aarch64.rpm elfutils-0.185-20.oe2203sp4.src.rpm elfutils-0.185-20.oe2203sp4.x86_64.rpm elfutils-debuginfo-0.185-20.oe2203sp4.x86_64.rpm elfutils-debuginfod-0.185-20.oe2203sp4.x86_64.rpm elfutils-debuginfod-client-0.185-20.oe2203sp4.x86_64.rpm elfutils-debuginfod-client-devel-0.185-20.oe2203sp4.x86_64.rpm elfutils-debugsource-0.185-20.oe2203sp4.x86_64.rpm elfutils-devel-0.185-20.oe2203sp4.x86_64.rpm elfutils-extra-0.185-20.oe2203sp4.x86_64.rpm elfutils-help-0.185-20.oe2203sp4.x86_64.rpm A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue. 2025-02-21 CVE-2025-1352 openEuler-22.03-LTS-SP4 Medium 5.0 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L elfutils security update 2025-02-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1177 A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue. 2025-02-21 CVE-2025-1372 openEuler-22.03-LTS-SP4 Medium 5.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L elfutils security update 2025-02-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1177 A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. 2025-02-21 CVE-2025-1376 openEuler-22.03-LTS-SP4 Low 2.5 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L elfutils security update 2025-02-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1177 A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue. 2025-02-21 CVE-2025-1377 openEuler-22.03-LTS-SP4 Low 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L elfutils security update 2025-02-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1177