elfutils: CVE-2014-9447

directory traversal in read_long_names() Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447 Upstream commit with the analysis: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-03-03 12:33:30 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:38 +0200
commit: 8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (patch)
tree: 17cdeb0bd1983e13b931e075f0fa738b093dda20 /meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
parent: 7b418aa46a9e550d63e404e3b10dc827f2772c48 (diff)
download: poky-8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd.tar.gz
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
new file mode 100644
index 0000000000..82b05fb08f
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,50 @@
+libelf: Fix dir traversal vuln in ar extraction.
+read_long_names terminates names at the first '/' found but then skips one
+character without checking (it's supposed to be '\n'). Hence the next name could
+start with any character including '/'. This leads to a directory traversal
+vulnerability at the time the contents of the archive is extracted.
+The danger is mitigated by the fact that only one '/' is possible in a resulting
+filename
+and only in the leading position. Hence only files in the root directory can be
+written via this vuln and only when ar is executed as root. The fix for the vuln
+is to not skip any characters while looking for '/'.
+Upstream commit:
+https://git.fedorahosted.org/cgit/elfutils.git/commit/
+?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
+Fixes CVE-2014-9447
+Upstream-Status: Backport
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
+--- a/libelf/ChangeLog  2015-03-03 12:39:39.255277970 +0100
+++ b/libelf/ChangeLog  2015-03-03 12:43:44.700870042 +0100
+@@ -1,3 +1,8 @@
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
+
+       * elf_begin.c (read_long_names): Don't miss '/' right after
+       another '/'. Fixes a dir traversal vuln in ar extraction.
+
+ 2012-08-16  Roland McGrath  <roland@hack.frob.com>
+ 
+        * elf.h: Update from glibc.
+diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
+--- a/libelf/elf_begin.c        2015-03-03 12:39:39.835253375 +0100
+++ b/libelf/elf_begin.c        2015-03-03 12:41:30.906543370 +0100
+@@ -744,10 +744,7 @@
+            break;
+ 
+          /* NUL-terminate the string.  */
+-         *runp = '\0';
+-
+-         /* Skip the NUL byte and the \012.  */
+-         runp += 2;
+         *runp++ = '\0';
+ 
+          /* A sanity check.  Somebody might have generated invalid
+             archive.  */
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-03-03 12:33:30 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:38 +0200
commit	8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (patch)
tree	17cdeb0bd1983e13b931e075f0fa738b093dda20 /meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
parent	7b418aa46a9e550d63e404e3b10dc827f2772c48 (diff)
download	poky-8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch new file mode 100644 index 0000000000..82b05fb08f --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,50 @@
	1	libelf: Fix dir traversal vuln in ar extraction.
	2
	3	read_long_names terminates names at the first '/' found but then skips one
	4	character without checking (it's supposed to be '\n'). Hence the next name could
	5	start with any character including '/'. This leads to a directory traversal
	6	vulnerability at the time the contents of the archive is extracted.
	7
	8	The danger is mitigated by the fact that only one '/' is possible in a resulting
	9	filename
	10	and only in the leading position. Hence only files in the root directory can be
	11	written via this vuln and only when ar is executed as root. The fix for the vuln
	12	is to not skip any characters while looking for '/'.
	13
	14	Upstream commit:
	15	https://git.fedorahosted.org/cgit/elfutils.git/commit/
	16	?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
	17
	18	Fixes CVE-2014-9447
	19	Upstream-Status: Backport
	20
	21	Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
	22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	23	---
	24	diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
	25	--- a/libelf/ChangeLog 2015-03-03 12:39:39.255277970 +0100
	26	+++ b/libelf/ChangeLog 2015-03-03 12:43:44.700870042 +0100
	27	@@ -1,3 +1,8 @@
	28	+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
	29	+
	30	+ * elf_begin.c (read_long_names): Don't miss '/' right after
	31	+ another '/'. Fixes a dir traversal vuln in ar extraction.
	32	+
	33	2012-08-16 Roland McGrath <roland@hack.frob.com>
	34
	35	* elf.h: Update from glibc.
	36	diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
	37	--- a/libelf/elf_begin.c 2015-03-03 12:39:39.835253375 +0100
	38	+++ b/libelf/elf_begin.c 2015-03-03 12:41:30.906543370 +0100
	39	@@ -744,10 +744,7 @@
	40	break;
	41
	42	/* NUL-terminate the string. */
	43	- *runp = '\0';
	44	-
	45	- /* Skip the NUL byte and the \012. */
	46	- runp += 2;
	47	+ *runp++ = '\0';
	48
	49	/* A sanity check. Somebody might have generated invalid
	50	archive. */