Accepting request 280218 from home:jones_tony:branches:Base:System

OBS-URL: https://build.opensuse.org/request/show/280218
OBS-URL: https://build.opensuse.org/package/show/Base:System/elfutils?expand=0&rev=66

elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch

@@ -0,0 +1,54 @@
+From: Alexander Cherepanov <cherepan@mccme.ru>
+Subject: libelf: Fix dir traversal vuln in ar extraction
+Date: Sun Dec 28 19:57:19 2014 +0300
+Git-commit: 147018e729e7c22eeabf15b82d26e4bf68a0d18e
+References: bnc#911662, CVE-2014-9447
+Signed-off-by: Tony Jones <tonyj@suse.de>
+
+    libelf: Fix dir traversal vuln in ar extraction.
+    
+    read_long_names terminates names at the first '/' found but then skips
+    one character without checking (it's supposed to be '\n'). Hence the
+    next name could start with any character including '/'. This leads to
+    a directory traversal vulnerability at the time the contents of the
+    archive is extracted.
+    
+    The danger is mitigated by the fact that only one '/' is possible in a
+    resulting filename and only in the leading position. Hence only files
+    in the root directory can be written via this vuln and only when ar is
+    executed as root.
+    
+    The fix for the vuln is to not skip any characters while looking
+    for '/'.
+    
+    Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 3b88d03..447c354 100644
+--- a/libelf/ChangeLog
++++ b/libelf/ChangeLog
+@@ -1,3 +1,8 @@
++2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
++
++	* elf_begin.c (read_long_names): Don't miss '/' right after
++	another '/'. Fixes a dir traversal vuln in ar extraction.
++
+ 2014-12-18  Ulrich Drepper  <drepper@gmail.com>
+ 
+ 	* Makefile.am: Suppress output of textrel_check command.
+diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
+index 30abe0b..cd3756c 100644
+--- a/libelf/elf_begin.c
++++ b/libelf/elf_begin.c
+@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
+ 	    }
+ 
+ 	  /* NUL-terminate the string.  */
+-	  *runp = '\0';
+-
+-	  /* Skip the NUL byte and the \012.  */
+-	  runp += 2;
++	  *runp++ = '\0';
+ 
+ 	  /* A sanity check.  Somebody might have generated invalid
+ 	     archive.  */

elfutils.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jan  7 21:19:10 UTC 2015 - tonyj@suse.com
+
+- CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662)
+  Add patch: elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch
+
 -------------------------------------------------------------------
 Wed Jan  7 00:45:34 UTC 2015 - p.drouand@gmail.com
 

elfutils.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package elfutils
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,11 +30,12 @@ Source1:        README-BEFORE-ADDING-PATCHES
 Source2:        baselibs.conf
 Source3:        %{name}.changes
 Patch1:         https://fedorahosted.org/releases/e/l/%{name}/%{version}/elfutils-portability-%{version}.patch
-Patch4:         libebl-prototype-fix.diff
-Patch5:         elfutils-uninitialized.diff
-Patch6:         elfutils-0.137-dwarf-header-check-fix.diff
-Patch7:         elfutils-0.148-dont-crash.diff
-Patch8:         elfutils-revert-portability-scanf.patch
+Patch2:         elfutils-revert-portability-scanf.patch
+Patch3:         libebl-prototype-fix.diff
+Patch4:         elfutils-uninitialized.diff
+Patch5:         elfutils-0.137-dwarf-header-check-fix.diff
+Patch6:         elfutils-0.148-dont-crash.diff
+Patch7:         elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  flex
@@ -141,11 +142,12 @@ to develop applications that require these.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1 -R
+%patch3 -p1
 %patch4 -p1
 %patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1 -R
+%patch6 -p1 
+%patch7 -p1 
 
 %build
 # Change DATE/TIME macros to use last change time of elfutils.changes