diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-04-28 14:22:54 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-04-30 23:04:17 +0100 |
commit | 145abfc06bc633145185087acf04f480e237c62c (patch) | |
tree | 9246c1dc237acef1673b6a09fbf396be4bff5710 /meta/recipes-devtools/elfutils | |
parent | 927bc7148cba14b1ffe166a5670bcb1c7530ff5c (diff) | |
download | poky-145abfc06bc633145185087acf04f480e237c62c.tar.gz |
elfutils: Security Advisory - CVE-2015-0255
Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers
to write to arbitrary files to the root directory via a / (slash) in a
crafted archive, as demonstrated using the ar program.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447
(From OE-Core rev: 4a65944b89a76f18c8ff6e148f17508882d387cf)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/elfutils')
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch | 59 | ||||
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils_0.161.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch new file mode 100644 index 0000000000..7e4e492c1e --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Cherepanov <cherepan@mccme.ru> | ||
3 | Date: Sun, 28 Dec 2014 19:57:19 +0300 | ||
4 | Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | read_long_names terminates names at the first '/' found but then skips | ||
9 | one character without checking (it's supposed to be '\n'). Hence the | ||
10 | next name could start with any character including '/'. This leads to | ||
11 | a directory traversal vulnerability at the time the contents of the | ||
12 | archive is extracted. | ||
13 | |||
14 | The danger is mitigated by the fact that only one '/' is possible in a | ||
15 | resulting filename and only in the leading position. Hence only files | ||
16 | in the root directory can be written via this vuln and only when ar is | ||
17 | executed as root. | ||
18 | |||
19 | The fix for the vuln is to not skip any characters while looking | ||
20 | for '/'. | ||
21 | |||
22 | Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> | ||
23 | --- | ||
24 | libelf/ChangeLog | 5 +++++ | ||
25 | libelf/elf_begin.c | 5 +---- | ||
26 | 2 files changed, 6 insertions(+), 4 deletions(-) | ||
27 | |||
28 | diff --git a/libelf/ChangeLog b/libelf/ChangeLog | ||
29 | index 3b88d03..447c354 100644 | ||
30 | --- a/libelf/ChangeLog | ||
31 | +++ b/libelf/ChangeLog | ||
32 | @@ -1,3 +1,8 @@ | ||
33 | +2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> | ||
34 | + | ||
35 | + * elf_begin.c (read_long_names): Don't miss '/' right after | ||
36 | + another '/'. Fixes a dir traversal vuln in ar extraction. | ||
37 | + | ||
38 | 2014-12-18 Ulrich Drepper <drepper@gmail.com> | ||
39 | |||
40 | * Makefile.am: Suppress output of textrel_check command. | ||
41 | diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c | ||
42 | index 30abe0b..cd3756c 100644 | ||
43 | --- a/libelf/elf_begin.c | ||
44 | +++ b/libelf/elf_begin.c | ||
45 | @@ -749,10 +749,7 @@ read_long_names (Elf *elf) | ||
46 | } | ||
47 | |||
48 | /* NUL-terminate the string. */ | ||
49 | - *runp = '\0'; | ||
50 | - | ||
51 | - /* Skip the NUL byte and the \012. */ | ||
52 | - runp += 2; | ||
53 | + *runp++ = '\0'; | ||
54 | |||
55 | /* A sanity check. Somebody might have generated invalid | ||
56 | archive. */ | ||
57 | -- | ||
58 | 1.9.1 | ||
59 | |||
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb index 0dbe9f95f2..e111b34a8a 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb | |||
@@ -16,6 +16,7 @@ SRC_URI += "\ | |||
16 | file://Fix_elf_cvt_gunhash.patch \ | 16 | file://Fix_elf_cvt_gunhash.patch \ |
17 | file://fixheadercheck.patch \ | 17 | file://fixheadercheck.patch \ |
18 | file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ | 18 | file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ |
19 | file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | # pick the patch from debian | 22 | # pick the patch from debian |