diff options
Diffstat (limited to 'meta/recipes-devtools/elfutils')
| -rw-r--r-- | meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch | 59 | ||||
| -rw-r--r-- | meta/recipes-devtools/elfutils/elfutils_0.161.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch new file mode 100644 index 0000000000..7e4e492c1e --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alexander Cherepanov <cherepan@mccme.ru> | ||
| 3 | Date: Sun, 28 Dec 2014 19:57:19 +0300 | ||
| 4 | Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. | ||
| 5 | |||
| 6 | Upstream-Status: Backport | ||
| 7 | |||
| 8 | read_long_names terminates names at the first '/' found but then skips | ||
| 9 | one character without checking (it's supposed to be '\n'). Hence the | ||
| 10 | next name could start with any character including '/'. This leads to | ||
| 11 | a directory traversal vulnerability at the time the contents of the | ||
| 12 | archive is extracted. | ||
| 13 | |||
| 14 | The danger is mitigated by the fact that only one '/' is possible in a | ||
| 15 | resulting filename and only in the leading position. Hence only files | ||
| 16 | in the root directory can be written via this vuln and only when ar is | ||
| 17 | executed as root. | ||
| 18 | |||
| 19 | The fix for the vuln is to not skip any characters while looking | ||
| 20 | for '/'. | ||
| 21 | |||
| 22 | Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> | ||
| 23 | --- | ||
| 24 | libelf/ChangeLog | 5 +++++ | ||
| 25 | libelf/elf_begin.c | 5 +---- | ||
| 26 | 2 files changed, 6 insertions(+), 4 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/libelf/ChangeLog b/libelf/ChangeLog | ||
| 29 | index 3b88d03..447c354 100644 | ||
| 30 | --- a/libelf/ChangeLog | ||
| 31 | +++ b/libelf/ChangeLog | ||
| 32 | @@ -1,3 +1,8 @@ | ||
| 33 | +2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> | ||
| 34 | + | ||
| 35 | + * elf_begin.c (read_long_names): Don't miss '/' right after | ||
| 36 | + another '/'. Fixes a dir traversal vuln in ar extraction. | ||
| 37 | + | ||
| 38 | 2014-12-18 Ulrich Drepper <drepper@gmail.com> | ||
| 39 | |||
| 40 | * Makefile.am: Suppress output of textrel_check command. | ||
| 41 | diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c | ||
| 42 | index 30abe0b..cd3756c 100644 | ||
| 43 | --- a/libelf/elf_begin.c | ||
| 44 | +++ b/libelf/elf_begin.c | ||
| 45 | @@ -749,10 +749,7 @@ read_long_names (Elf *elf) | ||
| 46 | } | ||
| 47 | |||
| 48 | /* NUL-terminate the string. */ | ||
| 49 | - *runp = '\0'; | ||
| 50 | - | ||
| 51 | - /* Skip the NUL byte and the \012. */ | ||
| 52 | - runp += 2; | ||
| 53 | + *runp++ = '\0'; | ||
| 54 | |||
| 55 | /* A sanity check. Somebody might have generated invalid | ||
| 56 | archive. */ | ||
| 57 | -- | ||
| 58 | 1.9.1 | ||
| 59 | |||
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb index 0dbe9f95f2..e111b34a8a 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb | |||
| @@ -16,6 +16,7 @@ SRC_URI += "\ | |||
| 16 | file://Fix_elf_cvt_gunhash.patch \ | 16 | file://Fix_elf_cvt_gunhash.patch \ |
| 17 | file://fixheadercheck.patch \ | 17 | file://fixheadercheck.patch \ |
| 18 | file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ | 18 | file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ |
| 19 | file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \ | ||
| 19 | " | 20 | " |
| 20 | 21 | ||
| 21 | # pick the patch from debian | 22 | # pick the patch from debian |