diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2014-12-31 08:25:55 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2014-12-31 08:25:55 +0000 |
| commit | 530c16519054c5e6fbd7e2ebee7aa69df6dc801a (patch) | |
| tree | 8311cb9a2ba99e1029e9e9a70e41686bd2e16e9c /dev-libs/elfutils/files | |
| parent | Fix cross-compiler bootstrapping for arm targets. (diff) | |
| download | gentoo-2-530c16519054c5e6fbd7e2ebee7aa69df6dc801a.tar.gz gentoo-2-530c16519054c5e6fbd7e2ebee7aa69df6dc801a.tar.bz2 gentoo-2-530c16519054c5e6fbd7e2ebee7aa69df6dc801a.zip | |
Version bump and libelf directory traversal fix from upstream #534000 by Agostino Sarubbo.
(Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
Diffstat (limited to 'dev-libs/elfutils/files')
| -rw-r--r-- | dev-libs/elfutils/files/elfutils-0.161-libelf-dir-traversal.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/dev-libs/elfutils/files/elfutils-0.161-libelf-dir-traversal.patch b/dev-libs/elfutils/files/elfutils-0.161-libelf-dir-traversal.patch new file mode 100644 index 000000000000..84a28c71d234 --- /dev/null +++ b/dev-libs/elfutils/files/elfutils-0.161-libelf-dir-traversal.patch @@ -0,0 +1,51 @@ +https://bugs.gentoo.org/534000 + +From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 +From: Alexander Cherepanov <cherepan@mccme.ru> +Date: Sun, 28 Dec 2014 19:57:19 +0300 +Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. + +read_long_names terminates names at the first '/' found but then skips +one character without checking (it's supposed to be '\n'). Hence the +next name could start with any character including '/'. This leads to +a directory traversal vulnerability at the time the contents of the +archive is extracted. + +The danger is mitigated by the fact that only one '/' is possible in a +resulting filename and only in the leading position. Hence only files +in the root directory can be written via this vuln and only when ar is +executed as root. + +The fix for the vuln is to not skip any characters while looking +for '/'. + +Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> +--- + libelf/ChangeLog | 5 +++++ + libelf/elf_begin.c | 5 +---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> + + * elf_begin.c (read_long_names): Don't miss '/' right after + another '/'. Fixes a dir traversal vuln in ar extraction. + +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c +index 30abe0b..cd3756c 100644 +--- a/libelf/elf_begin.c ++++ b/libelf/elf_begin.c +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) + } + + /* NUL-terminate the string. */ +- *runp = '\0'; +- +- /* Skip the NUL byte and the \012. */ +- runp += 2; ++ *runp++ = '\0'; + + /* A sanity check. Somebody might have generated invalid + archive. */ +-- +2.2.1 + |