diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-04-29 11:02:21 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-01 12:34:52 +0100 |
| commit | b9da1f441bbd8ef2c4bbcd2aabd2d42b65757827 (patch) | |
| tree | e6839f9fd5ef2729efb69869ec2d5d88cf577340 /meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch | |
| parent | ccbb7ef72f799fd11824009f2b000090e09b8bef (diff) | |
| download | poky-b9da1f441bbd8ef2c4bbcd2aabd2d42b65757827.tar.gz | |
elfutils: CVE-2014-9447
directory traversal in read_long_names()
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
Upstream commit with the analysis:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
(From OE-Core rev: 6e7badf6819f372bd6dced191c7fda9748062126)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch')
| -rw-r--r-- | meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch new file mode 100644 index 0000000000..82b05fb08f --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | libelf: Fix dir traversal vuln in ar extraction. | ||
| 2 | |||
| 3 | read_long_names terminates names at the first '/' found but then skips one | ||
| 4 | character without checking (it's supposed to be '\n'). Hence the next name could | ||
| 5 | start with any character including '/'. This leads to a directory traversal | ||
| 6 | vulnerability at the time the contents of the archive is extracted. | ||
| 7 | |||
| 8 | The danger is mitigated by the fact that only one '/' is possible in a resulting | ||
| 9 | filename | ||
| 10 | and only in the leading position. Hence only files in the root directory can be | ||
| 11 | written via this vuln and only when ar is executed as root. The fix for the vuln | ||
| 12 | is to not skip any characters while looking for '/'. | ||
| 13 | |||
| 14 | Upstream commit: | ||
| 15 | https://git.fedorahosted.org/cgit/elfutils.git/commit/ | ||
| 16 | ?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e | ||
| 17 | |||
| 18 | Fixes CVE-2014-9447 | ||
| 19 | Upstream-Status: Backport | ||
| 20 | |||
| 21 | Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> | ||
| 22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 23 | --- | ||
| 24 | diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog | ||
| 25 | --- a/libelf/ChangeLog 2015-03-03 12:39:39.255277970 +0100 | ||
| 26 | +++ b/libelf/ChangeLog 2015-03-03 12:43:44.700870042 +0100 | ||
| 27 | @@ -1,3 +1,8 @@ | ||
| 28 | +2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> | ||
| 29 | + | ||
| 30 | + * elf_begin.c (read_long_names): Don't miss '/' right after | ||
| 31 | + another '/'. Fixes a dir traversal vuln in ar extraction. | ||
| 32 | + | ||
| 33 | 2012-08-16 Roland McGrath <roland@hack.frob.com> | ||
| 34 | |||
| 35 | * elf.h: Update from glibc. | ||
| 36 | diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c | ||
| 37 | --- a/libelf/elf_begin.c 2015-03-03 12:39:39.835253375 +0100 | ||
| 38 | +++ b/libelf/elf_begin.c 2015-03-03 12:41:30.906543370 +0100 | ||
| 39 | @@ -744,10 +744,7 @@ | ||
| 40 | break; | ||
| 41 | |||
| 42 | /* NUL-terminate the string. */ | ||
| 43 | - *runp = '\0'; | ||
| 44 | - | ||
| 45 | - /* Skip the NUL byte and the \012. */ | ||
| 46 | - runp += 2; | ||
| 47 | + *runp++ = '\0'; | ||
| 48 | |||
| 49 | /* A sanity check. Somebody might have generated invalid | ||
| 50 | archive. */ | ||