0.161-2 Add elfutils-0.161-ar-long-name.patch (#1181525 CVE-2014-9447)

2015-01-13 11:40:10 +01:00 · 2015-01-13 11:40:10 +01:00 · f1c9e8f458
commit f1c9e8f458
parent 614e4be530
2 changed files with 59 additions and 1 deletions
--- a/elfutils-0.161-ar-long-name.patch
+++ b/elfutils-0.161-ar-long-name.patch
@ -0,0 +1,51 @@
+commit 147018e729e7c22eeabf15b82d26e4bf68a0d18e
+Author: Alexander Cherepanov <cherepan@mccme.ru>
+Date:   Sun Dec 28 19:57:19 2014 +0300
+
+    libelf: Fix dir traversal vuln in ar extraction.
+    
+    read_long_names terminates names at the first '/' found but then skips
+    one character without checking (it's supposed to be '\n'). Hence the
+    next name could start with any character including '/'. This leads to
+    a directory traversal vulnerability at the time the contents of the
+    archive is extracted.
+    
+    The danger is mitigated by the fact that only one '/' is possible in a
+    resulting filename and only in the leading position. Hence only files
+    in the root directory can be written via this vuln and only when ar is
+    executed as root.
+    
+    The fix for the vuln is to not skip any characters while looking
+    for '/'.
+    
+    Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 3b88d03..447c354 100644
+--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
+@@ -1,3 +1,8 @@
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
+
+	* elf_begin.c (read_long_names): Don't miss '/' right after
+	another '/'. Fixes a dir traversal vuln in ar extraction.
+
+ 2014-12-18  Ulrich Drepper  <drepper@gmail.com>
+ 
+ 	* Makefile.am: Suppress output of textrel_check command.
+diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
+index 30abe0b..cd3756c 100644
+--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
+@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
+ 	    }
+ 
+ 	  /* NUL-terminate the string.  */
+-	  *runp = '\0';
+-
+-	  /* Skip the NUL byte and the \012.  */
+-	  runp += 2;
+	  *runp++ = '\0';
+ 
+ 	  /* A sanity check.  Somebody might have generated invalid
+ 	     archive.  */
--- a/elfutils.spec
+++ b/elfutils.spec
@ -1,7 +1,7 @@
 Name: elfutils
 Summary: A collection of utilities and DSOs to handle compiled objects
 Version: 0.161
-%global baserelease 1
+%global baserelease 2
 URL: https://fedorahosted.org/elfutils/
 %global source_url http://fedorahosted.org/releases/e/l/elfutils/%{version}/
 License: GPLv3+ and (GPLv2+ or LGPLv3+)
@ -46,6 +46,8 @@ Source: %{?source_url}%{name}-%{version}.tar.bz2

 Patch1: %{?source_url}elfutils-portability-%{version}.patch

+Patch2: elfutils-0.161-ar-long-name.patch
+
 %if !%{compat}
 Release: %{baserelease}%{?dist}
 %else
@ -207,6 +209,8 @@ sed -i.scanf-m -e 's/%m/%a/g' src/addr2line.c tests/line2addr.c
 %endif
 %endif

+%patch2 -p1 -b .ar_long_name
+
 find . -name \*.sh ! -perm -0100 -print | xargs chmod +x

 %build
@ -334,6 +338,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/libelf.a

 %changelog
+* Tue Jan 13 2015 Mark Wielaard <mjw@redhat.com> - 0.161-2
+- Add elfutils-0.161-ar-long-name.patch (#1181525 CVE-2014-9447)
+
 * Fri Dec 19 2014 Mark Wielaard <mjw@redhat.com> - 0.161-1
 - Update to 0.161.