elfutils: CVE-2014-9447

directory traversal in read_long_names() Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447 Upstream commit with the analysis: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-03-03 12:33:30 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:38 +0200
commit: 8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (patch)
tree: 17cdeb0bd1983e13b931e075f0fa738b093dda20
parent: 7b418aa46a9e550d63e404e3b10dc827f2772c48 (diff)
download: poky-8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd.tar.gz
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
new file mode 100644
index 0000000000..82b05fb08f
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,50 @@
+libelf: Fix dir traversal vuln in ar extraction.
+read_long_names terminates names at the first '/' found but then skips one
+character without checking (it's supposed to be '\n'). Hence the next name could
+start with any character including '/'. This leads to a directory traversal
+vulnerability at the time the contents of the archive is extracted.
+The danger is mitigated by the fact that only one '/' is possible in a resulting
+filename
+and only in the leading position. Hence only files in the root directory can be
+written via this vuln and only when ar is executed as root. The fix for the vuln
+is to not skip any characters while looking for '/'.
+Upstream commit:
+https://git.fedorahosted.org/cgit/elfutils.git/commit/
+?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
+Fixes CVE-2014-9447
+Upstream-Status: Backport
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
+--- a/libelf/ChangeLog  2015-03-03 12:39:39.255277970 +0100
+++ b/libelf/ChangeLog  2015-03-03 12:43:44.700870042 +0100
+@@ -1,3 +1,8 @@
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
+
+       * elf_begin.c (read_long_names): Don't miss '/' right after
+       another '/'. Fixes a dir traversal vuln in ar extraction.
+
+ 2012-08-16  Roland McGrath  <roland@hack.frob.com>
+ 
+        * elf.h: Update from glibc.
+diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
+--- a/libelf/elf_begin.c        2015-03-03 12:39:39.835253375 +0100
+++ b/libelf/elf_begin.c        2015-03-03 12:41:30.906543370 +0100
+@@ -744,10 +744,7 @@
+            break;
+ 
+          /* NUL-terminate the string.  */
+-         *runp = '\0';
+-
+-         /* Skip the NUL byte and the \012.  */
+-         runp += 2;
+         *runp++ = '\0';
+ 
+          /* A sanity check.  Somebody might have generated invalid
+             archive.  */
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.155.bb b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
index b1f410c0f6..edb4919e1a 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.155.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
@@ -23,6 +23,7 @@ SRC_URI += "\
        file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \
        file://elfutils-ar-c-fix-num-passed-to-memset.patch \
        file://fix-build-gcc-4.8.patch \
+        file://CVE-2014-9447.patch \
 "
 # Only apply when building uclibc based target recipe
 SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-03-03 12:33:30 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:38 +0200
commit	8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (patch)
tree	17cdeb0bd1983e13b931e075f0fa738b093dda20
parent	7b418aa46a9e550d63e404e3b10dc827f2772c48 (diff)
download	poky-8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch new file mode 100644 index 0000000000..82b05fb08f --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,50 @@
		1	libelf: Fix dir traversal vuln in ar extraction.
		2
		3	read_long_names terminates names at the first '/' found but then skips one
		4	character without checking (it's supposed to be '\n'). Hence the next name could
		5	start with any character including '/'. This leads to a directory traversal
		6	vulnerability at the time the contents of the archive is extracted.
		7
		8	The danger is mitigated by the fact that only one '/' is possible in a resulting
		9	filename
		10	and only in the leading position. Hence only files in the root directory can be
		11	written via this vuln and only when ar is executed as root. The fix for the vuln
		12	is to not skip any characters while looking for '/'.
		13
		14	Upstream commit:
		15	https://git.fedorahosted.org/cgit/elfutils.git/commit/
		16	?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
		17
		18	Fixes CVE-2014-9447
		19	Upstream-Status: Backport
		20
		21	Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
		25	--- a/libelf/ChangeLog 2015-03-03 12:39:39.255277970 +0100
		26	+++ b/libelf/ChangeLog 2015-03-03 12:43:44.700870042 +0100
		27	@@ -1,3 +1,8 @@
		28	+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
		29	+
		30	+ * elf_begin.c (read_long_names): Don't miss '/' right after
		31	+ another '/'. Fixes a dir traversal vuln in ar extraction.
		32	+
		33	2012-08-16 Roland McGrath <roland@hack.frob.com>
		34
		35	* elf.h: Update from glibc.
		36	diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
		37	--- a/libelf/elf_begin.c 2015-03-03 12:39:39.835253375 +0100
		38	+++ b/libelf/elf_begin.c 2015-03-03 12:41:30.906543370 +0100
		39	@@ -744,10 +744,7 @@
		40	break;
		41
		42	/* NUL-terminate the string. */
		43	- *runp = '\0';
		44	-
		45	- /* Skip the NUL byte and the \012. */
		46	- runp += 2;
		47	+ *runp++ = '\0';
		48
		49	/* A sanity check. Somebody might have generated invalid
		50	archive. */


diff --git a/meta/recipes-devtools/elfutils/elfutils_0.155.bb b/meta/recipes-devtools/elfutils/elfutils_0.155.bb index b1f410c0f6..edb4919e1a 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.155.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
@@ -23,6 +23,7 @@ SRC_URI += "\
23	file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \	23	file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \
24	file://elfutils-ar-c-fix-num-passed-to-memset.patch \	24	file://elfutils-ar-c-fix-num-passed-to-memset.patch \
25	file://fix-build-gcc-4.8.patch \	25	file://fix-build-gcc-4.8.patch \
		26	file://CVE-2014-9447.patch \
26	"	27	"
27	# Only apply when building uclibc based target recipe	28	# Only apply when building uclibc based target recipe
28	SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"	29	SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"