elfutils: CVE-2014-9447

directory traversal in read_long_names()

Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447

Upstream commit with the analysis:
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
new file mode 100644 (file)
index 0000000..82b05fb
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils/CVE-2014-9447.patch
@@ -0,0 +1,50 @@
+libelf: Fix dir traversal vuln in ar extraction.
+
+read_long_names terminates names at the first '/' found but then skips one
+character without checking (it's supposed to be '\n'). Hence the next name could
+start with any character including '/'. This leads to a directory traversal
+vulnerability at the time the contents of the archive is extracted.
+
+The danger is mitigated by the fact that only one '/' is possible in a resulting
+filename
+and only in the leading position. Hence only files in the root directory can be
+written via this vuln and only when ar is executed as root. The fix for the vuln
+is to not skip any characters while looking for '/'.
+
+Upstream commit:
+https://git.fedorahosted.org/cgit/elfutils.git/commit/
+?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
+
+Fixes CVE-2014-9447
+Upstream-Status: Backport
+
+Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/libelf/ChangeLog b/libelf/ChangeLog
+--- a/libelf/ChangeLog 2015-03-03 12:39:39.255277970 +0100
++++ b/libelf/ChangeLog 2015-03-03 12:43:44.700870042 +0100
+@@ -1,3 +1,8 @@
++2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
++
++       * elf_begin.c (read_long_names): Don't miss '/' right after
++       another '/'. Fixes a dir traversal vuln in ar extraction.
++
+ 2012-08-16  Roland McGrath  <roland@hack.frob.com>
+ 
+       * elf.h: Update from glibc.
+diff -ruN a/libelf/elf_begin.c b/libelf/elf_begin.c
+--- a/libelf/elf_begin.c       2015-03-03 12:39:39.835253375 +0100
++++ b/libelf/elf_begin.c       2015-03-03 12:41:30.906543370 +0100
+@@ -744,10 +744,7 @@
+           break;
+ 
+         /* NUL-terminate the string.  */
+-        *runp = '\0';
+-
+-        /* Skip the NUL byte and the \012.  */
+-        runp += 2;
++        *runp++ = '\0';
+ 
+         /* A sanity check.  Somebody might have generated invalid
+            archive.  */

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.155.bb b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
index b1f410c0f6c236092b522244f90d62ab9a8e9a70..edb4919e1a6b2c0eac270849631579cabe0f199f 100644 (file)
--- a/meta/recipes-devtools/elfutils/elfutils_0.155.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.155.bb
@@ -23,6 +23,7 @@ SRC_URI += "\
        file://nm-Fix-size-passed-to-snprintf-for-invalid-sh_name-case.patch \
        file://elfutils-ar-c-fix-num-passed-to-memset.patch \
        file://fix-build-gcc-4.8.patch \
+        file://CVE-2014-9447.patch \
 "
 # Only apply when building uclibc based target recipe
 SRC_URI_append_libc-uclibc = " file://uclibc-support.patch"