forked from pool/elfutils
19dc0a5313
OBS-URL: https://build.opensuse.org/request/show/280218 OBS-URL: https://build.opensuse.org/package/show/Base:System/elfutils?expand=0&rev=66
55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From: Alexander Cherepanov <cherepan@mccme.ru>
|
|
Subject: libelf: Fix dir traversal vuln in ar extraction
|
|
Date: Sun Dec 28 19:57:19 2014 +0300
|
|
Git-commit: 147018e729e7c22eeabf15b82d26e4bf68a0d18e
|
|
References: bnc#911662, CVE-2014-9447
|
|
Signed-off-by: Tony Jones <tonyj@suse.de>
|
|
|
|
libelf: Fix dir traversal vuln in ar extraction.
|
|
|
|
read_long_names terminates names at the first '/' found but then skips
|
|
one character without checking (it's supposed to be '\n'). Hence the
|
|
next name could start with any character including '/'. This leads to
|
|
a directory traversal vulnerability at the time the contents of the
|
|
archive is extracted.
|
|
|
|
The danger is mitigated by the fact that only one '/' is possible in a
|
|
resulting filename and only in the leading position. Hence only files
|
|
in the root directory can be written via this vuln and only when ar is
|
|
executed as root.
|
|
|
|
The fix for the vuln is to not skip any characters while looking
|
|
for '/'.
|
|
|
|
Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
|
|
|
|
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
|
|
index 3b88d03..447c354 100644
|
|
--- a/libelf/ChangeLog
|
|
+++ b/libelf/ChangeLog
|
|
@@ -1,3 +1,8 @@
|
|
+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
|
|
+
|
|
+ * elf_begin.c (read_long_names): Don't miss '/' right after
|
|
+ another '/'. Fixes a dir traversal vuln in ar extraction.
|
|
+
|
|
2014-12-18 Ulrich Drepper <drepper@gmail.com>
|
|
|
|
* Makefile.am: Suppress output of textrel_check command.
|
|
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
|
|
index 30abe0b..cd3756c 100644
|
|
--- a/libelf/elf_begin.c
|
|
+++ b/libelf/elf_begin.c
|
|
@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
|
|
}
|
|
|
|
/* NUL-terminate the string. */
|
|
- *runp = '\0';
|
|
-
|
|
- /* Skip the NUL byte and the \012. */
|
|
- runp += 2;
|
|
+ *runp++ = '\0';
|
|
|
|
/* A sanity check. Somebody might have generated invalid
|
|
archive. */
|