summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-03-03 11:33:30 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 18:19:38 (GMT)
commit8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (patch)
tree17cdeb0bd1983e13b931e075f0fa738b093dda20
parent7b418aa46a9e550d63e404e3b10dc827f2772c48 (diff)
downloadpoky-8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd.tar.gz
elfutils: CVE-2014-9447
directory traversal in read_long_names() Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447 Upstream commit with the analysis: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch50
-rw-r--r--meta/recipes-devtools/elfutils/elfutils_0.155.bb1
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
new file mode 100644
index 0000000..82b05fb
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,50 @@
1libelf: Fix dir traversal vuln in ar extraction.
2
3read_long_names terminates names at the first '/' found but then skips one
4character without checking (it's supposed to be '\n'). Hence the next name could
5start with any character including '/'. This leads to a directory traversal
6vulnerability at the time the contents of the archive is extracted.
7
8The danger is mitigated by the fact that only one '/' is possible in a resulting
9filename
10and only in the leading position. Hence only files in the root directory can be
11written via this vuln and only when ar is executed as root. The fix for the vuln
12is to not skip any characters while looking for '/'.
13
14Upstream commit:
15https://git.fedorahosted.org/cgit/elfutils.git/commit/
16?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
17
18Fixes CVE-2014-9447
19Upstream-Status: Backport
20
21Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
25--- a/libelf/ChangeLog 2015-03-03 12:39:39.255277970 +0100
26+++ b/libelf/ChangeLog 2015-03-03 12:43:44.700870042 +0100
27@@ -1,3 +1,8 @@
28+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
29+
30+ * elf_begin.c (read_long_names): Don't miss '/' right after
31+ another '/'. Fixes a dir traversal vuln in ar extraction.
32+
33 2012-08-16 Roland McGrath <roland@hack.frob.com>
34
35 * elf.h: Update from glibc.
36diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
37--- a/libelf/elf_begin.c 2015-03-03 12:39:39.835253375 +0100
38+++ b/libelf/elf_begin.c 2015-03-03 12:41:30.906543370 +0100
39@@ -744,10 +744,7 @@
40 break;
41
42 /* NUL-terminate the string. */
43- *runp = '\0';
44-
45- /* Skip the NUL byte and the \012. */
46- runp += 2;
47+ *runp++ = '\0';
48
49 /* A sanity check. Somebody might have generated invalid
50 archive. */
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.155.bb b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
index b1f410c..edb4919 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.155.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
@@ -23,6 +23,7 @@ SRC_URI += "\
23 file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \ 23 file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \
24 file://elfutils-ar-c-fix-num-passed-to-memset.patch \ 24 file://elfutils-ar-c-fix-num-passed-to-memset.patch \
25 file://fix-build-gcc-4.8.patch \ 25 file://fix-build-gcc-4.8.patch \
26 file://CVE-2014-9447.patch \
26" 27"
27# Only apply when building uclibc based target recipe 28# Only apply when building uclibc based target recipe
28SRC_URI_append_libc-uclibc = " file://uclibc-support.patch" 29SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"