Bug#775536: [Secure-testing-team] Bug#775536: CVE-2014-9447

Sun, 25 Jan 2015 18:03:38 -0800 

control: tag -1 patch, pending

Hi,

I've uploaded an nmu fixing this issue to delayed/5.  Let me know if I
should delay longer.  Please see attached.

Best wishes,
Mike

diff -Nru elfutils-0.159/debian/changelog elfutils-0.159/debian/changelog
--- elfutils-0.159/debian/changelog	2014-07-06 13:21:54.000000000 +0000
+++ elfutils-0.159/debian/changelog	2015-01-26 01:51:07.000000000 +0000
@@ -1,3 +1,10 @@
+elfutils (0.159-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2014-9447: path traversal issue in ar (closes: #775536).
+
+ -- Michael Gilbert <mgilb...@debian.org>  Mon, 26 Jan 2015 01:49:30 +0000
+
 elfutils (0.159-4) unstable; urgency=medium
 
   [ Wookey ]
diff -Nru elfutils-0.159/debian/patches/CVE-2014-9447.patch elfutils-0.159/debian/patches/CVE-2014-9447.patch
--- elfutils-0.159/debian/patches/CVE-2014-9447.patch	1970-01-01 00:00:00.000000000 +0000
+++ elfutils-0.159/debian/patches/CVE-2014-9447.patch	2015-01-26 01:55:09.000000000 +0000
@@ -0,0 +1,33 @@
+From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001
+From: Alexander Cherepanov <chere...@mccme.ru>
+Date: Sun, 28 Dec 2014 19:57:19 +0300
+Subject: libelf: Fix dir traversal vuln in ar extraction.
+
+read_long_names terminates names at the first '/' found but then skips
+one character without checking (it's supposed to be '\n'). Hence the
+next name could start with any character including '/'. This leads to
+a directory traversal vulnerability at the time the contents of the
+archive is extracted.
+
+The danger is mitigated by the fact that only one '/' is possible in a
+resulting filename and only in the leading position. Hence only files
+in the root directory can be written via this vuln and only when ar is
+executed as root.
+
+The fix for the vuln is to not skip any characters while looking
+for '/'.
+
+--- a/libelf/elf_begin.c
++++ b/libelf/elf_begin.c
+@@ -736,10 +736,7 @@ read_long_names (Elf *elf)
+ 	    break;
+ 
+ 	  /* NUL-terminate the string.  */
+-	  *runp = '\0';
+-
+-	  /* Skip the NUL byte and the \012.  */
+-	  runp += 2;
++	  *runp++ = '\0';
+ 
+ 	  /* A sanity check.  Somebody might have generated invalid
+ 	     archive.  */
diff -Nru elfutils-0.159/debian/patches/series elfutils-0.159/debian/patches/series
--- elfutils-0.159/debian/patches/series	2014-07-06 13:15:53.000000000 +0000
+++ elfutils-0.159/debian/patches/series	2015-01-26 01:54:23.000000000 +0000
@@ -13,3 +13,4 @@
 non_linux.patch
 unaligned.patch
 aarch64-run-native-test-fix.patch
+CVE-2014-9447.patch

Reply via email to