[OE-core] [daisy][PATCH] elfutils: CVE-2014-9447

Sona Sarmadi sona.sarmadi at enea.com
Fri Mar 6 12:35:47 UTC 2015 

Fixes directory traversal vulnerability in elfutils 'ar' utility

Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../elfutils/elfutils/CVE-2014-9447.patch          | 51 ++++++++++++++++++++++
 meta/recipes-devtools/elfutils/elfutils_0.148.bb   |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
new file mode 100644
index 0000000..8edec1b
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,51 @@
+libelf: Fix dir traversal vuln in ar extraction.
+
+read_long_names terminates names at the first '/' found but
+then skips one character without checking (it's supposed to
+be '\n'). Hence the next name could start with any character
+including '/'. This leads to a directory traversal vulnerability
+at the time the contents of the archive is extracted.
+
+The danger is mitigated by the fact that only one '/' is
+possible in a resulting filename and only in the leading position.
+Hence only files in the root directory can be written via this vuln
+and only when ar is executed as root. The fix for the vuln is to not
+skip any characters while looking for '/'.
+
+Upstream commit:
+https://git.fedorahosted.org/cgit/elfutils.git/commit/
+?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
+
+Fixes CVE-2014-9447
+Upstream-Status: Backport
+
+Signed-off-by: Alexander Cherepanov <cherepan at mccme.ru>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
+--- a/libelf/ChangeLog	2015-03-03 10:45:03.586045753 +0100
++++ b/libelf/ChangeLog	2015-03-03 10:47:14.052545814 +0100
+@@ -1,3 +1,8 @@
++2014-12-28  Alexander Cherepanov  <cherepan at mccme.ru>
++
++       * elf_begin.c (read_long_names): Don't miss '/' right after
++       another '/'. Fixes a dir traversal vuln in ar extraction.
++
+ 2010-06-14  Ulrich Drepper  <drepper at redhat.com>
+ 
+ 	* gelf_update_shdr.c: Implicitly set ELF_F_DIRTY bit.
+diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
+--- a/libelf/elf_begin.c	2015-03-03 10:45:04.414010849 +0100
++++ b/libelf/elf_begin.c	2015-03-03 10:45:46.736226750 +0100
+@@ -765,10 +765,7 @@
+ 	    break;
+ 
+ 	  /* NUL-terminate the string.  */
+-	  *runp = '\0';
+-
+-	  /* Skip the NUL byte and the \012.  */
+-	  runp += 2;
++	  *runp++ = '\0';
+ 
+ 	  /* A sanity check.  Somebody might have generated invalid
+ 	     archive.  */
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.148.bb b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
index 1106242..d65867e 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.148.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.148.bb
@@ -32,6 +32,7 @@ SRC_URI += "\
 	file://dso-link-change.patch \
 	file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \
 	file://elfutils-ar-c-fix-num-passed-to-memset.patch \
+        file://CVE-2014-9447.patch \
 "
 # Only apply when building uclibc based target recipe
 SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"
-- 
1.9.1

More information about the Openembedded-core mailing list