From f1c9e8f4587f8870ddf88cb873f895ce32b898a3 Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Tue, 13 Jan 2015 11:40:10 +0100 Subject: [PATCH] 0.161-2 Add elfutils-0.161-ar-long-name.patch (#1181525 CVE-2014-9447) --- elfutils-0.161-ar-long-name.patch | 51 +++++++++++++++++++++++++++++++ elfutils.spec | 9 +++++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 elfutils-0.161-ar-long-name.patch diff --git a/elfutils-0.161-ar-long-name.patch b/elfutils-0.161-ar-long-name.patch new file mode 100644 index 0000000..030efd9 --- /dev/null +++ b/elfutils-0.161-ar-long-name.patch @@ -0,0 +1,51 @@ +commit 147018e729e7c22eeabf15b82d26e4bf68a0d18e +Author: Alexander Cherepanov +Date: Sun Dec 28 19:57:19 2014 +0300 + + libelf: Fix dir traversal vuln in ar extraction. + + read_long_names terminates names at the first '/' found but then skips + one character without checking (it's supposed to be '\n'). Hence the + next name could start with any character including '/'. This leads to + a directory traversal vulnerability at the time the contents of the + archive is extracted. + + The danger is mitigated by the fact that only one '/' is possible in a + resulting filename and only in the leading position. Hence only files + in the root directory can be written via this vuln and only when ar is + executed as root. + + The fix for the vuln is to not skip any characters while looking + for '/'. + + Signed-off-by: Alexander Cherepanov + +diff --git a/libelf/ChangeLog b/libelf/ChangeLog +index 3b88d03..447c354 100644 +--- a/libelf/ChangeLog ++++ b/libelf/ChangeLog +@@ -1,3 +1,8 @@ ++2014-12-28 Alexander Cherepanov ++ ++ * elf_begin.c (read_long_names): Don't miss '/' right after ++ another '/'. Fixes a dir traversal vuln in ar extraction. ++ + 2014-12-18 Ulrich Drepper + + * Makefile.am: Suppress output of textrel_check command. +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c +index 30abe0b..cd3756c 100644 +--- a/libelf/elf_begin.c ++++ b/libelf/elf_begin.c +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) + } + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ diff --git a/elfutils.spec b/elfutils.spec index d9dfa7e..67211df 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -1,7 +1,7 @@ Name: elfutils Summary: A collection of utilities and DSOs to handle compiled objects Version: 0.161 -%global baserelease 1 +%global baserelease 2 URL: https://fedorahosted.org/elfutils/ %global source_url http://fedorahosted.org/releases/e/l/elfutils/%{version}/ License: GPLv3+ and (GPLv2+ or LGPLv3+) @@ -46,6 +46,8 @@ Source: %{?source_url}%{name}-%{version}.tar.bz2 Patch1: %{?source_url}elfutils-portability-%{version}.patch +Patch2: elfutils-0.161-ar-long-name.patch + %if !%{compat} Release: %{baserelease}%{?dist} %else @@ -207,6 +209,8 @@ sed -i.scanf-m -e 's/%m/%a/g' src/addr2line.c tests/line2addr.c %endif %endif +%patch2 -p1 -b .ar_long_name + find . -name \*.sh ! -perm -0100 -print | xargs chmod +x %build @@ -334,6 +338,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/libelf.a %changelog +* Tue Jan 13 2015 Mark Wielaard - 0.161-2 +- Add elfutils-0.161-ar-long-name.patch (#1181525 CVE-2014-9447) + * Fri Dec 19 2014 Mark Wielaard - 0.161-1 - Update to 0.161.