summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-03-03 10:03:10 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 18:19:38 (GMT)
commit7b418aa46a9e550d63e404e3b10dc827f2772c48 (patch)
treebd4914154dc75c9c4459bb5c4df2cea9b3c23b54
parentfae5298ce647241f79fa5f8bcba9d4b7caeed1b7 (diff)
downloadpoky-7b418aa46a9e550d63e404e3b10dc827f2772c48.tar.gz
elfutils: CVE-2014-9447
directory traversal in read_long_names() Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447 Upstream commit with the analysis: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch51
-rw-r--r--meta/recipes-devtools/elfutils/elfutils_0.148.bb3
2 files changed, 53 insertions, 1 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch
new file mode 100644
index 0000000..8edec1b
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch
@@ -0,0 +1,51 @@
1libelf: Fix dir traversal vuln in ar extraction.
2
3read_long_names terminates names at the first '/' found but
4then skips one character without checking (it's supposed to
5be '\n'). Hence the next name could start with any character
6including '/'. This leads to a directory traversal vulnerability
7at the time the contents of the archive is extracted.
8
9The danger is mitigated by the fact that only one '/' is
10possible in a resulting filename and only in the leading position.
11Hence only files in the root directory can be written via this vuln
12and only when ar is executed as root. The fix for the vuln is to not
13skip any characters while looking for '/'.
14
15Upstream commit:
16https://git.fedorahosted.org/cgit/elfutils.git/commit/
17?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
18
19Fixes CVE-2014-9447
20Upstream-Status: Backport
21
22Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
23Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
24---
25diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
26--- a/libelf/ChangeLog 2015-03-03 10:45:03.586045753 +0100
27+++ b/libelf/ChangeLog 2015-03-03 10:47:14.052545814 +0100
28@@ -1,3 +1,8 @@
29+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
30+
31+ * elf_begin.c (read_long_names): Don't miss '/' right after
32+ another '/'. Fixes a dir traversal vuln in ar extraction.
33+
34 2010-06-14 Ulrich Drepper <drepper@redhat.com>
35
36 * gelf_update_shdr.c: Implicitly set ELF_F_DIRTY bit.
37diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
38--- a/libelf/elf_begin.c 2015-03-03 10:45:04.414010849 +0100
39+++ b/libelf/elf_begin.c 2015-03-03 10:45:46.736226750 +0100
40@@ -765,10 +765,7 @@
41 break;
42
43 /* NUL-terminate the string. */
44- *runp = '\0';
45-
46- /* Skip the NUL byte and the \012. */
47- runp += 2;
48+ *runp++ = '\0';
49
50 /* A sanity check. Somebody might have generated invalid
51 archive. */
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.148.bb b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
index e2b8d26..69aaf7b 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.148.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
@@ -34,7 +34,8 @@ SRC_URI += "\
34 file://elfutils-ar-c-fix-num-passed-to-memset.patch \ 34 file://elfutils-ar-c-fix-num-passed-to-memset.patch \
35 file://add-ptest.patch \ 35 file://add-ptest.patch \
36 file://run-ptest \ 36 file://run-ptest \
37 file://avoid_parallel_tests.patch \ 37 file://avoid_parallel_tests.patch \
38 file://elfutils-0.148-CVE-2014-9447.patch \
38" 39"
39# Only apply when building uclibc based target recipe 40# Only apply when building uclibc based target recipe
40SRC_URI_append_libc-uclibc = " file://uclibc-support.patch" 41SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"