aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/elfutils
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-04-28 14:22:54 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-30 23:01:29 +0100
commit4a65944b89a76f18c8ff6e148f17508882d387cf (patch)
treede912eacb4400edf4d3acc75cb5e1507bb665d1c /meta/recipes-devtools/elfutils
parentf2e92c741bde70753163afe3839ff8d35ae5380e (diff)
downloadopenembedded-core-contrib-4a65944b89a76f18c8ff6e148f17508882d387cf.tar.gz
elfutils: Security Advisory - CVE-2015-0255
Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/elfutils')
-rw-r--r--meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch59
-rw-r--r--meta/recipes-devtools/elfutils/elfutils_0.161.bb1
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch
new file mode 100644
index 00000000000..7e4e492c1eb
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch
@@ -0,0 +1,59 @@
+From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001
+From: Alexander Cherepanov <cherepan@mccme.ru>
+Date: Sun, 28 Dec 2014 19:57:19 +0300
+Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction.
+
+Upstream-Status: Backport
+
+read_long_names terminates names at the first '/' found but then skips
+one character without checking (it's supposed to be '\n'). Hence the
+next name could start with any character including '/'. This leads to
+a directory traversal vulnerability at the time the contents of the
+archive is extracted.
+
+The danger is mitigated by the fact that only one '/' is possible in a
+resulting filename and only in the leading position. Hence only files
+in the root directory can be written via this vuln and only when ar is
+executed as root.
+
+The fix for the vuln is to not skip any characters while looking
+for '/'.
+
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+---
+ libelf/ChangeLog | 5 +++++
+ libelf/elf_begin.c | 5 +----
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 3b88d03..447c354 100644
+--- a/libelf/ChangeLog
++++ b/libelf/ChangeLog
+@@ -1,3 +1,8 @@
++2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
++
++ * elf_begin.c (read_long_names): Don't miss '/' right after
++ another '/'. Fixes a dir traversal vuln in ar extraction.
++
+ 2014-12-18 Ulrich Drepper <drepper@gmail.com>
+
+ * Makefile.am: Suppress output of textrel_check command.
+diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
+index 30abe0b..cd3756c 100644
+--- a/libelf/elf_begin.c
++++ b/libelf/elf_begin.c
+@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
+ }
+
+ /* NUL-terminate the string. */
+- *runp = '\0';
+-
+- /* Skip the NUL byte and the \012. */
+- runp += 2;
++ *runp++ = '\0';
+
+ /* A sanity check. Somebody might have generated invalid
+ archive. */
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb
index 0dbe9f95f2c..e111b34a8a3 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb
@@ -16,6 +16,7 @@ SRC_URI += "\
file://Fix_elf_cvt_gunhash.patch \
file://fixheadercheck.patch \
file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \
+ file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \
"
# pick the patch from debian