elfutils: Security Advisory - CVE-2015-0255

Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 (From OE-Core rev: 4a65944b89a76f18c8ff6e148f17508882d387cf) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Roy Li <rongqing.li@windriver.com> 2015-04-28 14:22:54 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-04-30 23:04:17 +0100
commit: 145abfc06bc633145185087acf04f480e237c62c (patch)
tree: 9246c1dc237acef1673b6a09fbf396be4bff5710 /meta/recipes-devtools/elfutils
parent: 927bc7148cba14b1ffe166a5670bcb1c7530ff5c (diff)
download: poky-145abfc06bc633145185087acf04f480e237c62c.tar.gz
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch
new file mode 100644
index 0000000000..7e4e492c1e
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch
@@ -0,0 +1,59 @@
+From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001
+From: Alexander Cherepanov <cherepan@mccme.ru>
+Date: Sun, 28 Dec 2014 19:57:19 +0300
+Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction.
+Upstream-Status: Backport
+read_long_names terminates names at the first '/' found but then skips
+one character without checking (it's supposed to be '\n'). Hence the
+next name could start with any character including '/'. This leads to
+a directory traversal vulnerability at the time the contents of the
+archive is extracted.
+The danger is mitigated by the fact that only one '/' is possible in a
+resulting filename and only in the leading position. Hence only files
+in the root directory can be written via this vuln and only when ar is
+executed as root.
+The fix for the vuln is to not skip any characters while looking
+for '/'.
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+---
+ libelf/ChangeLog   | 5 +++++
+ libelf/elf_begin.c | 5 +----
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 3b88d03..447c354 100644
+--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
+@@ -1,3 +1,8 @@
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
+
+       * elf_begin.c (read_long_names): Don't miss '/' right after
+       another '/'. Fixes a dir traversal vuln in ar extraction.
+
+ 2014-12-18  Ulrich Drepper  <drepper@gmail.com>
+ 
+        * Makefile.am: Suppress output of textrel_check command.
+diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
+index 30abe0b..cd3756c 100644
+--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
+@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
+            }
+ 
+          /* NUL-terminate the string.  */
+-         *runp = '\0';
+-
+-         /* Skip the NUL byte and the \012.  */
+-         runp += 2;
+         *runp++ = '\0';
+ 
+          /* A sanity check.  Somebody might have generated invalid
+             archive.  */
+-- 
+1.9.1
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb
index 0dbe9f95f2..e111b34a8a 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb
@@ -16,6 +16,7 @@ SRC_URI += "\
        file://Fix_elf_cvt_gunhash.patch \
        file://fixheadercheck.patch \
        file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \
+        file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \
 "
 # pick the patch from debian
author	Roy Li <rongqing.li@windriver.com>	2015-04-28 14:22:54 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-04-30 23:04:17 +0100
commit	145abfc06bc633145185087acf04f480e237c62c (patch)
tree	9246c1dc237acef1673b6a09fbf396be4bff5710 /meta/recipes-devtools/elfutils
parent	927bc7148cba14b1ffe166a5670bcb1c7530ff5c (diff)
download	poky-145abfc06bc633145185087acf04f480e237c62c.tar.gz

diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch new file mode 100644 index 0000000000..7e4e492c1e --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch
@@ -0,0 +1,59 @@
		1	From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001
		2	From: Alexander Cherepanov <cherepan@mccme.ru>
		3	Date: Sun, 28 Dec 2014 19:57:19 +0300
		4	Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction.
		5
		6	Upstream-Status: Backport
		7
		8	read_long_names terminates names at the first '/' found but then skips
		9	one character without checking (it's supposed to be '\n'). Hence the
		10	next name could start with any character including '/'. This leads to
		11	a directory traversal vulnerability at the time the contents of the
		12	archive is extracted.
		13
		14	The danger is mitigated by the fact that only one '/' is possible in a
		15	resulting filename and only in the leading position. Hence only files
		16	in the root directory can be written via this vuln and only when ar is
		17	executed as root.
		18
		19	The fix for the vuln is to not skip any characters while looking
		20	for '/'.
		21
		22	Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
		23	---
		24	libelf/ChangeLog \| 5 +++++
		25	libelf/elf_begin.c \| 5 +----
		26	2 files changed, 6 insertions(+), 4 deletions(-)
		27
		28	diff --git a/libelf/ChangeLog b/libelf/ChangeLog
		29	index 3b88d03..447c354 100644
		30	--- a/libelf/ChangeLog
		31	+++ b/libelf/ChangeLog
		32	@@ -1,3 +1,8 @@
		33	+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
		34	+
		35	+ * elf_begin.c (read_long_names): Don't miss '/' right after
		36	+ another '/'. Fixes a dir traversal vuln in ar extraction.
		37	+
		38	2014-12-18 Ulrich Drepper <drepper@gmail.com>
		39
		40	* Makefile.am: Suppress output of textrel_check command.
		41	diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
		42	index 30abe0b..cd3756c 100644
		43	--- a/libelf/elf_begin.c
		44	+++ b/libelf/elf_begin.c
		45	@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
		46	}
		47
		48	/* NUL-terminate the string. */
		49	- *runp = '\0';
		50	-
		51	- /* Skip the NUL byte and the \012. */
		52	- runp += 2;
		53	+ *runp++ = '\0';
		54
		55	/* A sanity check. Somebody might have generated invalid
		56	archive. */
		57	--
		58	1.9.1
		59


diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb index 0dbe9f95f2..e111b34a8a 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb
@@ -16,6 +16,7 @@ SRC_URI += "\
16	file://Fix_elf_cvt_gunhash.patch \	16	file://Fix_elf_cvt_gunhash.patch \
17	file://fixheadercheck.patch \	17	file://fixheadercheck.patch \
18	file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \	18	file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \
		19	file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \
19	"	20	"
20		21
21	# pick the patch from debian	22	# pick the patch from debian