Fixes directory traversal vulnerability in elfutils 'ar' utility Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> --- .../elfutils/elfutils/CVE-2014-9447.patch | 51 ++++++++++++++++++++++ meta/recipes-devtools/elfutils/elfutils_0.148.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch new file mode 100644 index 0000000..8edec1b --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch @@ -0,0 +1,51 @@ +libelf: Fix dir traversal vuln in ar extraction. + +read_long_names terminates names at the first '/' found but +then skips one character without checking (it's supposed to +be '\n'). Hence the next name could start with any character +including '/'. This leads to a directory traversal vulnerability +at the time the contents of the archive is extracted. + +The danger is mitigated by the fact that only one '/' is +possible in a resulting filename and only in the leading position. +Hence only files in the root directory can be written via this vuln +and only when ar is executed as root. The fix for the vuln is to not +skip any characters while looking for '/'. + +Upstream commit: +https://git.fedorahosted.org/cgit/elfutils.git/commit/ +?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e + +Fixes CVE-2014-9447 +Upstream-Status: Backport + +Signed-off-by: Alexander Cherepanov <chere...@mccme.ru> +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> +--- +diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog +--- a/libelf/ChangeLog 2015-03-03 10:45:03.586045753 +0100 ++++ b/libelf/ChangeLog 2015-03-03 10:47:14.052545814 +0100 +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov <chere...@mccme.ru> ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2010-06-14 Ulrich Drepper <drep...@redhat.com> + + * gelf_update_shdr.c: Implicitly set ELF_F_DIRTY bit. +diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c +--- a/libelf/elf_begin.c 2015-03-03 10:45:04.414010849 +0100 ++++ b/libelf/elf_begin.c 2015-03-03 10:45:46.736226750 +0100 +@@ -765,10 +765,7 @@ + break; + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ diff --git a/meta/recipes-devtools/elfutils/elfutils_0.148.bb b/meta/recipes-devtools/elfutils/elfutils_0.148.bb index 1106242..d65867e 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.148.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.148.bb @@ -32,6 +32,7 @@ SRC_URI += "\ file://dso-link-change.patch \ file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \ file://elfutils-ar-c-fix-num-passed-to-memset.patch \ + file://CVE-2014-9447.patch \ " # Only apply when building uclibc based target recipe SRC_URI_append_libc-uclibc = " file://uclibc-support.patch" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
