Hi! There is a directory traversal in `ar`:
# printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a # ar -xv test.a x - /file Patch attached. -- Alexander Cherepanov
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c index 947b0ed..ae1e712 100644 --- a/libelf/elf_begin.c +++ b/libelf/elf_begin.c @@ -749,10 +749,7 @@ read_long_names (Elf *elf) } /* NUL-terminate the string. */ - *runp = '\0'; - - /* Skip the NUL byte and the \012. */ - runp += 2; + *runp++ = '\0'; /* A sanity check. Somebody might have generated invalid archive. */
