Date: Monday, March 2, 2015 @ 22:01:29 Author: lcarlier Revision: 128583
upgpkg: lib32-elfutils 0.161-1 fix FS#44019 - CVE-2014-9447 Added: lib32-elfutils/trunk/CVE-2014-9447.patch Modified: lib32-elfutils/trunk/PKGBUILD ---------------------+ CVE-2014-9447.patch | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 7 ++++-- 2 files changed, 58 insertions(+), 2 deletions(-) Added: CVE-2014-9447.patch =================================================================== --- CVE-2014-9447.patch (rev 0) +++ CVE-2014-9447.patch 2015-03-02 21:01:29 UTC (rev 128583) @@ -0,0 +1,53 @@ +From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 +From: Alexander Cherepanov <chere...@mccme.ru> +Date: Sun, 28 Dec 2014 19:57:19 +0300 +Subject: libelf: Fix dir traversal vuln in ar extraction. + +read_long_names terminates names at the first '/' found but then skips +one character without checking (it's supposed to be '\n'). Hence the +next name could start with any character including '/'. This leads to +a directory traversal vulnerability at the time the contents of the +archive is extracted. + +The danger is mitigated by the fact that only one '/' is possible in a +resulting filename and only in the leading position. Hence only files +in the root directory can be written via this vuln and only when ar is +executed as root. + +The fix for the vuln is to not skip any characters while looking +for '/'. + +Signed-off-by: Alexander Cherepanov <chere...@mccme.ru> + +diff --git a/libelf/ChangeLog b/libelf/ChangeLog +index 3b88d03..447c354 100644 +--- a/libelf/ChangeLog ++++ b/libelf/ChangeLog +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov <chere...@mccme.ru> ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2014-12-18 Ulrich Drepper <drep...@gmail.com> + + * Makefile.am: Suppress output of textrel_check command. +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c +index 30abe0b..cd3756c 100644 +--- a/libelf/elf_begin.c ++++ b/libelf/elf_begin.c +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) + } + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ +-- +cgit v0.10.2 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-03-02 20:28:31 UTC (rev 128582) +++ PKGBUILD 2015-03-02 21:01:29 UTC (rev 128583) @@ -13,11 +13,13 @@ depends=('lib32-bzip2' 'lib32-zlib' 'elfutils') makedepends=('gcc-multilib') source=(https://fedorahosted.org/releases/e/l/elfutils/${pkgver}/elfutils-${pkgver}.tar.bz2{,.sig} - 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch) + 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch + CVE-2014-9447.patch) options=('staticlibs') sha1sums=('85d48e18359c51e843c49b1894b2f54b85e88ae2' 'SKIP' - '86947fb8d0f51a65e19142350925f428ad0c7cb1') + '86947fb8d0f51a65e19142350925f428ad0c7cb1' + 'd3e0e8275695fcc6347b8730bd1eb141a022f756') validpgpkeys=('47CC0331081B8BC6D0FD4DA08370665B57816A6A') # Mark J. Wielaard <m...@klomp.org> prepare() { @@ -25,6 +27,7 @@ # https://lists.fedorahosted.org/pipermail/elfutils-devel/2015-January/004541.html patch -p1 < "$srcdir"/0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch + patch -p1 < "$srcdir"/CVE-2014-9447.patch } build() {