From def79f5f31bdbe53696651769beb79040b81f1dc Mon Sep 17 00:00:00 2001 From: Roy Li Date: Tue, 28 Apr 2015 14:22:54 +0800 Subject: elfutils: Security Advisory - CVE-2015-0255 Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 (From OE-Core rev: 4a65944b89a76f18c8ff6e148f17508882d387cf) (From OE-Core rev: 5eda84a62201461b9c69498ec35585d2c8142dec) Signed-off-by: Roy Li Signed-off-by: Richard Purdie --- ...f-Fix-dir-traversal-vuln-in-ar-extraction.patch | 59 ++++++++++++++++++++++ meta/recipes-devtools/elfutils/elfutils_0.161.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch new file mode 100644 index 0000000..7e4e492 --- /dev/null +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch @@ -0,0 +1,59 @@ +From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 +From: Alexander Cherepanov +Date: Sun, 28 Dec 2014 19:57:19 +0300 +Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. + +Upstream-Status: Backport + +read_long_names terminates names at the first '/' found but then skips +one character without checking (it's supposed to be '\n'). Hence the +next name could start with any character including '/'. This leads to +a directory traversal vulnerability at the time the contents of the +archive is extracted. + +The danger is mitigated by the fact that only one '/' is possible in a +resulting filename and only in the leading position. Hence only files +in the root directory can be written via this vuln and only when ar is +executed as root. + +The fix for the vuln is to not skip any characters while looking +for '/'. + +Signed-off-by: Alexander Cherepanov +--- + libelf/ChangeLog | 5 +++++ + libelf/elf_begin.c | 5 +---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libelf/ChangeLog b/libelf/ChangeLog +index 3b88d03..447c354 100644 +--- a/libelf/ChangeLog ++++ b/libelf/ChangeLog +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2014-12-18 Ulrich Drepper + + * Makefile.am: Suppress output of textrel_check command. +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c +index 30abe0b..cd3756c 100644 +--- a/libelf/elf_begin.c ++++ b/libelf/elf_begin.c +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) + } + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ +-- +1.9.1 + diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb index c4c7cbc..ac84507 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb @@ -16,6 +16,7 @@ SRC_URI += "\ file://Fix_elf_cvt_gunhash.patch \ file://fixheadercheck.patch \ file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ + file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \ " # pick the patch from debian -- cgit v1.1