diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-03-03 11:03:10 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-06 20:19:38 +0200 |
commit | 7b418aa46a9e550d63e404e3b10dc827f2772c48 (patch) | |
tree | bd4914154dc75c9c4459bb5c4df2cea9b3c23b54 | |
parent | fae5298ce647241f79fa5f8bcba9d4b7caeed1b7 (diff) | |
download | poky-7b418aa46a9e550d63e404e3b10dc827f2772c48.tar.gz |
elfutils: CVE-2014-9447
directory traversal in read_long_names()
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
Upstream commit with the analysis:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch | 51 | ||||
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils_0.148.bb | 3 |
2 files changed, 53 insertions, 1 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch new file mode 100644 index 0000000000..8edec1b2ed --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | libelf: Fix dir traversal vuln in ar extraction. | ||
2 | |||
3 | read_long_names terminates names at the first '/' found but | ||
4 | then skips one character without checking (it's supposed to | ||
5 | be '\n'). Hence the next name could start with any character | ||
6 | including '/'. This leads to a directory traversal vulnerability | ||
7 | at the time the contents of the archive is extracted. | ||
8 | |||
9 | The danger is mitigated by the fact that only one '/' is | ||
10 | possible in a resulting filename and only in the leading position. | ||
11 | Hence only files in the root directory can be written via this vuln | ||
12 | and only when ar is executed as root. The fix for the vuln is to not | ||
13 | skip any characters while looking for '/'. | ||
14 | |||
15 | Upstream commit: | ||
16 | https://git.fedorahosted.org/cgit/elfutils.git/commit/ | ||
17 | ?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e | ||
18 | |||
19 | Fixes CVE-2014-9447 | ||
20 | Upstream-Status: Backport | ||
21 | |||
22 | Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> | ||
23 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
24 | --- | ||
25 | diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog | ||
26 | --- a/libelf/ChangeLog 2015-03-03 10:45:03.586045753 +0100 | ||
27 | +++ b/libelf/ChangeLog 2015-03-03 10:47:14.052545814 +0100 | ||
28 | @@ -1,3 +1,8 @@ | ||
29 | +2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> | ||
30 | + | ||
31 | + * elf_begin.c (read_long_names): Don't miss '/' right after | ||
32 | + another '/'. Fixes a dir traversal vuln in ar extraction. | ||
33 | + | ||
34 | 2010-06-14 Ulrich Drepper <drepper@redhat.com> | ||
35 | |||
36 | * gelf_update_shdr.c: Implicitly set ELF_F_DIRTY bit. | ||
37 | diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c | ||
38 | --- a/libelf/elf_begin.c 2015-03-03 10:45:04.414010849 +0100 | ||
39 | +++ b/libelf/elf_begin.c 2015-03-03 10:45:46.736226750 +0100 | ||
40 | @@ -765,10 +765,7 @@ | ||
41 | break; | ||
42 | |||
43 | /* NUL-terminate the string. */ | ||
44 | - *runp = '\0'; | ||
45 | - | ||
46 | - /* Skip the NUL byte and the \012. */ | ||
47 | - runp += 2; | ||
48 | + *runp++ = '\0'; | ||
49 | |||
50 | /* A sanity check. Somebody might have generated invalid | ||
51 | archive. */ | ||
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.148.bb b/meta/recipes-devtools/elfutils/elfutils_0.148.bb index e2b8d26aee..69aaf7be3c 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.148.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.148.bb | |||
@@ -34,7 +34,8 @@ SRC_URI += "\ | |||
34 | file://elfutils-ar-c-fix-num-passed-to-memset.patch \ | 34 | file://elfutils-ar-c-fix-num-passed-to-memset.patch \ |
35 | file://add-ptest.patch \ | 35 | file://add-ptest.patch \ |
36 | file://run-ptest \ | 36 | file://run-ptest \ |
37 | file://avoid_parallel_tests.patch \ | 37 | file://avoid_parallel_tests.patch \ |
38 | file://elfutils-0.148-CVE-2014-9447.patch \ | ||
38 | " | 39 | " |
39 | # Only apply when building uclibc based target recipe | 40 | # Only apply when building uclibc based target recipe |
40 | SRC_URI_append_libc-uclibc = " file://uclibc-support.patch" | 41 | SRC_URI_append_libc-uclibc = " file://uclibc-support.patch" |