diff options
author | Roy Li <rongqing.li@windriver.com> | 2015-04-28 14:22:54 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-04-30 23:01:29 +0100 |
commit | 4a65944b89a76f18c8ff6e148f17508882d387cf (patch) | |
tree | de912eacb4400edf4d3acc75cb5e1507bb665d1c /meta/recipes-devtools/elfutils | |
parent | f2e92c741bde70753163afe3839ff8d35ae5380e (diff) | |
download | openembedded-core-contrib-4a65944b89a76f18c8ff6e148f17508882d387cf.tar.gz |
elfutils: Security Advisory - CVE-2015-0255
Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers
to write to arbitrary files to the root directory via a / (slash) in a
crafted archive, as demonstrated using the ar program.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/elfutils')
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch | 59 | ||||
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils_0.161.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch new file mode 100644 index 00000000000..7e4e492c1eb --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch @@ -0,0 +1,59 @@ +From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 +From: Alexander Cherepanov <cherepan@mccme.ru> +Date: Sun, 28 Dec 2014 19:57:19 +0300 +Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. + +Upstream-Status: Backport + +read_long_names terminates names at the first '/' found but then skips +one character without checking (it's supposed to be '\n'). Hence the +next name could start with any character including '/'. This leads to +a directory traversal vulnerability at the time the contents of the +archive is extracted. + +The danger is mitigated by the fact that only one '/' is possible in a +resulting filename and only in the leading position. Hence only files +in the root directory can be written via this vuln and only when ar is +executed as root. + +The fix for the vuln is to not skip any characters while looking +for '/'. + +Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> +--- + libelf/ChangeLog | 5 +++++ + libelf/elf_begin.c | 5 +---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libelf/ChangeLog b/libelf/ChangeLog +index 3b88d03..447c354 100644 +--- a/libelf/ChangeLog ++++ b/libelf/ChangeLog +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2014-12-18 Ulrich Drepper <drepper@gmail.com> + + * Makefile.am: Suppress output of textrel_check command. +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c +index 30abe0b..cd3756c 100644 +--- a/libelf/elf_begin.c ++++ b/libelf/elf_begin.c +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) + } + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ +-- +1.9.1 + diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb index 0dbe9f95f2c..e111b34a8a3 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb @@ -16,6 +16,7 @@ SRC_URI += "\ file://Fix_elf_cvt_gunhash.patch \ file://fixheadercheck.patch \ file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ + file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \ " # pick the patch from debian |