diff --git a/elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch b/elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch new file mode 100644 index 0000000..dc60c40 --- /dev/null +++ b/elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch @@ -0,0 +1,54 @@ +From: Alexander Cherepanov +Subject: libelf: Fix dir traversal vuln in ar extraction +Date: Sun Dec 28 19:57:19 2014 +0300 +Git-commit: 147018e729e7c22eeabf15b82d26e4bf68a0d18e +References: bnc#911662, CVE-2014-9447 +Signed-off-by: Tony Jones + + libelf: Fix dir traversal vuln in ar extraction. + + read_long_names terminates names at the first '/' found but then skips + one character without checking (it's supposed to be '\n'). Hence the + next name could start with any character including '/'. This leads to + a directory traversal vulnerability at the time the contents of the + archive is extracted. + + The danger is mitigated by the fact that only one '/' is possible in a + resulting filename and only in the leading position. Hence only files + in the root directory can be written via this vuln and only when ar is + executed as root. + + The fix for the vuln is to not skip any characters while looking + for '/'. + + Signed-off-by: Alexander Cherepanov + +diff --git a/libelf/ChangeLog b/libelf/ChangeLog +index 3b88d03..447c354 100644 +--- a/libelf/ChangeLog ++++ b/libelf/ChangeLog +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2014-12-18 Ulrich Drepper + + * Makefile.am: Suppress output of textrel_check command. +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c +index 30abe0b..cd3756c 100644 +--- a/libelf/elf_begin.c ++++ b/libelf/elf_begin.c +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) + } + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ diff --git a/elfutils.changes b/elfutils.changes index 6e3bed2..c00d141 100644 --- a/elfutils.changes +++ b/elfutils.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 7 21:19:10 UTC 2015 - tonyj@suse.com + +- CVE-2014-9447: elfutils: Directory traversal vulnerability (bnc#911662) + Add patch: elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch + ------------------------------------------------------------------- Wed Jan 7 00:45:34 UTC 2015 - p.drouand@gmail.com diff --git a/elfutils.spec b/elfutils.spec index 0a648ef..362facd 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -1,7 +1,7 @@ # # spec file for package elfutils # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,11 +30,12 @@ Source1: README-BEFORE-ADDING-PATCHES Source2: baselibs.conf Source3: %{name}.changes Patch1: https://fedorahosted.org/releases/e/l/%{name}/%{version}/elfutils-portability-%{version}.patch -Patch4: libebl-prototype-fix.diff -Patch5: elfutils-uninitialized.diff -Patch6: elfutils-0.137-dwarf-header-check-fix.diff -Patch7: elfutils-0.148-dont-crash.diff -Patch8: elfutils-revert-portability-scanf.patch +Patch2: elfutils-revert-portability-scanf.patch +Patch3: libebl-prototype-fix.diff +Patch4: elfutils-uninitialized.diff +Patch5: elfutils-0.137-dwarf-header-check-fix.diff +Patch6: elfutils-0.148-dont-crash.diff +Patch7: elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: flex @@ -141,11 +142,12 @@ to develop applications that require these. %prep %setup -q %patch1 -p1 +%patch2 -p1 -R +%patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -R +%patch6 -p1 +%patch7 -p1 %build # Change DATE/TIME macros to use last change time of elfutils.changes