diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-04-29 11:02:21 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-01 12:34:06 +0100 |
commit | 6e7badf6819f372bd6dced191c7fda9748062126 (patch) | |
tree | bca03b9e44869db85f875683ad86f34b27d26887 | |
parent | 0b13fbf3f9b4419141445b381ffa9445af6e52ab (diff) | |
download | openembedded-core-contrib-6e7badf6819f372bd6dced191c7fda9748062126.tar.gz |
elfutils: CVE-2014-9447
directory traversal in read_long_names()
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
Upstream commit with the analysis:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch | 50 | ||||
-rw-r--r-- | meta/recipes-devtools/elfutils/elfutils_0.155.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch new file mode 100644 index 0000000000..82b05fb08f --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch @@ -0,0 +1,50 @@ +libelf: Fix dir traversal vuln in ar extraction. + +read_long_names terminates names at the first '/' found but then skips one +character without checking (it's supposed to be '\n'). Hence the next name could +start with any character including '/'. This leads to a directory traversal +vulnerability at the time the contents of the archive is extracted. + +The danger is mitigated by the fact that only one '/' is possible in a resulting +filename +and only in the leading position. Hence only files in the root directory can be +written via this vuln and only when ar is executed as root. The fix for the vuln +is to not skip any characters while looking for '/'. + +Upstream commit: +https://git.fedorahosted.org/cgit/elfutils.git/commit/ +?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e + +Fixes CVE-2014-9447 +Upstream-Status: Backport + +Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- +diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog +--- a/libelf/ChangeLog 2015-03-03 12:39:39.255277970 +0100 ++++ b/libelf/ChangeLog 2015-03-03 12:43:44.700870042 +0100 +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2012-08-16 Roland McGrath <roland@hack.frob.com> + + * elf.h: Update from glibc. +diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c +--- a/libelf/elf_begin.c 2015-03-03 12:39:39.835253375 +0100 ++++ b/libelf/elf_begin.c 2015-03-03 12:41:30.906543370 +0100 +@@ -744,10 +744,7 @@ + break; + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ diff --git a/meta/recipes-devtools/elfutils/elfutils_0.155.bb b/meta/recipes-devtools/elfutils/elfutils_0.155.bb index b1f410c0f6..edb4919e1a 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.155.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.155.bb @@ -23,6 +23,7 @@ SRC_URI += "\ file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \ file://elfutils-ar-c-fix-num-passed-to-memset.patch \ file://fix-build-gcc-4.8.patch \ + file://CVE-2014-9447.patch \ " # Only apply when building uclibc based target recipe SRC_URI_append_libc-uclibc = " file://uclibc-support.patch" |