CVE-2016-5032 Libdwarf Project CVE debrief

Who should care

Organizations and developers that ship libdwarf directly or bundle it inside tools that parse object files, debug data, or other untrusted inputs should care most. Security teams should also review any downstream products that inherit libdwarf from a vendor package.

Technical summary

NVD classifies the weakness as CWE-125 and lists the vulnerable CPE range as libdwarf_project:libdwarf versions from 1999-12-14 up to, but not including, 2016-09-23. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a network-reachable impact that depends on user interaction with a crafted file and results in availability loss rather than confidentiality or integrity impact.

Defensive priority

Medium

Recommended defensive actions

• Upgrade libdwarf to 20160923 or later, or apply the vendor patch/backport if an upgrade is not immediately possible.
• Inventory products and build images for bundled copies of libdwarf, including statically linked or vendor-supplied instances.
• Restrict and validate untrusted input files where libdwarf is used, especially workflows that open externally supplied debug or object files.
• Confirm that downstream packages have been rebuilt against a fixed libdwarf version and redeployed.
• Track the referenced advisory and vendor mailing list notes for any product-specific guidance.

Evidence notes

The NVD entry states that dwarf_get_xu_hash_entry in libdwarf before 20160923 allows remote attackers to cause a denial of service via a crafted file. NVD also maps the issue to CWE-125 and lists references to the openwall oss-security mailing list posts and the prevanders.net dwarfbug advisory. The CVSS vector includes user interaction, so the attack depends on a victim opening or processing the crafted file.

Official resources