elfutils: CVE-2014-9447

directory traversal in read_long_names() Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447 Upstream commit with the analysis: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-03-03 11:03:10 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:38 +0200
commit: 7b418aa46a9e550d63e404e3b10dc827f2772c48 (patch)
tree: bd4914154dc75c9c4459bb5c4df2cea9b3c23b54
parent: fae5298ce647241f79fa5f8bcba9d4b7caeed1b7 (diff)
download: poky-7b418aa46a9e550d63e404e3b10dc827f2772c48.tar.gz
2 files changed, 53 insertions, 1 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch
new file mode 100644
index 0000000000..8edec1b2ed
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch
@@ -0,0 +1,51 @@
+libelf: Fix dir traversal vuln in ar extraction.
+read_long_names terminates names at the first '/' found but
+then skips one character without checking (it's supposed to
+be '\n'). Hence the next name could start with any character
+including '/'. This leads to a directory traversal vulnerability
+at the time the contents of the archive is extracted.
+The danger is mitigated by the fact that only one '/' is
+possible in a resulting filename and only in the leading position.
+Hence only files in the root directory can be written via this vuln
+and only when ar is executed as root. The fix for the vuln is to not
+skip any characters while looking for '/'.
+Upstream commit:
+https://git.fedorahosted.org/cgit/elfutils.git/commit/
+?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
+Fixes CVE-2014-9447
+Upstream-Status: Backport
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
+--- a/libelf/ChangeLog  2015-03-03 10:45:03.586045753 +0100
+++ b/libelf/ChangeLog  2015-03-03 10:47:14.052545814 +0100
+@@ -1,3 +1,8 @@
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
+
+       * elf_begin.c (read_long_names): Don't miss '/' right after
+       another '/'. Fixes a dir traversal vuln in ar extraction.
+
+ 2010-06-14  Ulrich Drepper  <drepper@redhat.com>
+ 
+        * gelf_update_shdr.c: Implicitly set ELF_F_DIRTY bit.
+diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
+--- a/libelf/elf_begin.c        2015-03-03 10:45:04.414010849 +0100
+++ b/libelf/elf_begin.c        2015-03-03 10:45:46.736226750 +0100
+@@ -765,10 +765,7 @@
+            break;
+ 
+          /* NUL-terminate the string.  */
+-         *runp = '\0';
+-
+-         /* Skip the NUL byte and the \012.  */
+-         runp += 2;
+         *runp++ = '\0';
+ 
+          /* A sanity check.  Somebody might have generated invalid
+             archive.  */
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.148.bb b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
index e2b8d26aee..69aaf7be3c 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.148.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
@@ -34,7 +34,8 @@ SRC_URI += "\
        file://elfutils-ar-c-fix-num-passed-to-memset.patch \
        file://add-ptest.patch \
        file://run-ptest \
-    file://avoid_parallel_tests.patch \
+        file://avoid_parallel_tests.patch \
+        file://elfutils-0.148-CVE-2014-9447.patch \
 "
 # Only apply when building uclibc based target recipe
 SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-03-03 11:03:10 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:38 +0200
commit	7b418aa46a9e550d63e404e3b10dc827f2772c48 (patch)
tree	bd4914154dc75c9c4459bb5c4df2cea9b3c23b54
parent	fae5298ce647241f79fa5f8bcba9d4b7caeed1b7 (diff)
download	poky-7b418aa46a9e550d63e404e3b10dc827f2772c48.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch new file mode 100644 index 0000000000..8edec1b2ed --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/elfutils-0.148-CVE-2014-9447.patch
@@ -0,0 +1,51 @@
		1	libelf: Fix dir traversal vuln in ar extraction.
		2
		3	read_long_names terminates names at the first '/' found but
		4	then skips one character without checking (it's supposed to
		5	be '\n'). Hence the next name could start with any character
		6	including '/'. This leads to a directory traversal vulnerability
		7	at the time the contents of the archive is extracted.
		8
		9	The danger is mitigated by the fact that only one '/' is
		10	possible in a resulting filename and only in the leading position.
		11	Hence only files in the root directory can be written via this vuln
		12	and only when ar is executed as root. The fix for the vuln is to not
		13	skip any characters while looking for '/'.
		14
		15	Upstream commit:
		16	https://git.fedorahosted.org/cgit/elfutils.git/commit/
		17	?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
		18
		19	Fixes CVE-2014-9447
		20	Upstream-Status: Backport
		21
		22	Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
		23	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		24	---
		25	diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
		26	--- a/libelf/ChangeLog 2015-03-03 10:45:03.586045753 +0100
		27	+++ b/libelf/ChangeLog 2015-03-03 10:47:14.052545814 +0100
		28	@@ -1,3 +1,8 @@
		29	+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
		30	+
		31	+ * elf_begin.c (read_long_names): Don't miss '/' right after
		32	+ another '/'. Fixes a dir traversal vuln in ar extraction.
		33	+
		34	2010-06-14 Ulrich Drepper <drepper@redhat.com>
		35
		36	* gelf_update_shdr.c: Implicitly set ELF_F_DIRTY bit.
		37	diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
		38	--- a/libelf/elf_begin.c 2015-03-03 10:45:04.414010849 +0100
		39	+++ b/libelf/elf_begin.c 2015-03-03 10:45:46.736226750 +0100
		40	@@ -765,10 +765,7 @@
		41	break;
		42
		43	/* NUL-terminate the string. */
		44	- *runp = '\0';
		45	-
		46	- /* Skip the NUL byte and the \012. */
		47	- runp += 2;
		48	+ *runp++ = '\0';
		49
		50	/* A sanity check. Somebody might have generated invalid
		51	archive. */


diff --git a/meta/recipes-devtools/elfutils/elfutils_0.148.bb b/meta/recipes-devtools/elfutils/elfutils_0.148.bb index e2b8d26aee..69aaf7be3c 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.148.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
@@ -34,7 +34,8 @@ SRC_URI += "\
34	file://elfutils-ar-c-fix-num-passed-to-memset.patch \	34	file://elfutils-ar-c-fix-num-passed-to-memset.patch \
35	file://add-ptest.patch \	35	file://add-ptest.patch \
36	file://run-ptest \	36	file://run-ptest \
37	file://avoid_parallel_tests.patch \	37	file://avoid_parallel_tests.patch \
		38	file://elfutils-0.148-CVE-2014-9447.patch \
38	"	39	"
39	# Only apply when building uclibc based target recipe	40	# Only apply when building uclibc based target recipe
40	SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"	41	SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"