File elfutils-fix-dir-traversal-vuln-in-ar-extractio... of Package elfutils.14006

Overview Repositories Revisions Requests Users Attributes Meta

File elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch of Package elfutils.14006

From: Alexander Cherepanov <cherepan@mccme.ru>
Subject: libelf: Fix dir traversal vuln in ar extraction
Date: Sun Dec 28 19:57:19 2014 +0300
Git-commit: 147018e729e7c22eeabf15b82d26e4bf68a0d18e
References: bnc#911662, CVE-2014-9447
Signed-off-by: Tony Jones <tonyj@suse.de>

libelf: Fix dir traversal vuln in ar extraction.
    
    read_long_names terminates names at the first '/' found but then skips
    one character without checking (it's supposed to be '\n'). Hence the
    next name could start with any character including '/'. This leads to
    a directory traversal vulnerability at the time the contents of the
    archive is extracted.
    
    The danger is mitigated by the fact that only one '/' is possible in a
    resulting filename and only in the leading position. Hence only files
    in the root directory can be written via this vuln and only when ar is
    executed as root.
    
    The fix for the vuln is to not skip any characters while looking
    for '/'.
    
    Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>

---
 libelf/elf_begin.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -741,10 +741,7 @@ read_long_names (Elf *elf)
 	    break;
 
 	  /* NUL-terminate the string.  */
-	  *runp = '\0';
-
-	  /* Skip the NUL byte and the \012.  */
-	  runp += 2;
+	  *runp++ = '\0';
 
 	  /* A sanity check.  Somebody might have generated invalid
 	     archive.  */

Places

File elfutils-fix-dir-traversal-vuln-in-ar-extraction.patch of Package elfutils.14006

Places