elfutils: Security Advisory - CVE-2015-0255
Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 (From OE-Core rev: 4a65944b89a76f18c8ff6e148f17508882d387cf) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
927bc7148c
commit
145abfc06b
|
@ -0,0 +1,59 @@
|
|||
From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Cherepanov <cherepan@mccme.ru>
|
||||
Date: Sun, 28 Dec 2014 19:57:19 +0300
|
||||
Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction.
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
read_long_names terminates names at the first '/' found but then skips
|
||||
one character without checking (it's supposed to be '\n'). Hence the
|
||||
next name could start with any character including '/'. This leads to
|
||||
a directory traversal vulnerability at the time the contents of the
|
||||
archive is extracted.
|
||||
|
||||
The danger is mitigated by the fact that only one '/' is possible in a
|
||||
resulting filename and only in the leading position. Hence only files
|
||||
in the root directory can be written via this vuln and only when ar is
|
||||
executed as root.
|
||||
|
||||
The fix for the vuln is to not skip any characters while looking
|
||||
for '/'.
|
||||
|
||||
Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
|
||||
---
|
||||
libelf/ChangeLog | 5 +++++
|
||||
libelf/elf_begin.c | 5 +----
|
||||
2 files changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
|
||||
index 3b88d03..447c354 100644
|
||||
--- a/libelf/ChangeLog
|
||||
+++ b/libelf/ChangeLog
|
||||
@@ -1,3 +1,8 @@
|
||||
+2014-12-28 Alexander Cherepanov <cherepan@mccme.ru>
|
||||
+
|
||||
+ * elf_begin.c (read_long_names): Don't miss '/' right after
|
||||
+ another '/'. Fixes a dir traversal vuln in ar extraction.
|
||||
+
|
||||
2014-12-18 Ulrich Drepper <drepper@gmail.com>
|
||||
|
||||
* Makefile.am: Suppress output of textrel_check command.
|
||||
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
|
||||
index 30abe0b..cd3756c 100644
|
||||
--- a/libelf/elf_begin.c
|
||||
+++ b/libelf/elf_begin.c
|
||||
@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
|
||||
}
|
||||
|
||||
/* NUL-terminate the string. */
|
||||
- *runp = '\0';
|
||||
-
|
||||
- /* Skip the NUL byte and the \012. */
|
||||
- runp += 2;
|
||||
+ *runp++ = '\0';
|
||||
|
||||
/* A sanity check. Somebody might have generated invalid
|
||||
archive. */
|
||||
--
|
||||
1.9.1
|
||||
|
|
@ -16,6 +16,7 @@ SRC_URI += "\
|
|||
file://Fix_elf_cvt_gunhash.patch \
|
||||
file://fixheadercheck.patch \
|
||||
file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \
|
||||
file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \
|
||||
"
|
||||
|
||||
# pick the patch from debian
|
||||
|
|
Loading…
Reference in New Issue