* Re: [oe-commits] Roy Li : elfutils: Security Advisory - CVE-2015-0255 [not found] <20150501064023.6E7B950467@opal.openembedded.org> @ 2015-05-22 11:46 ` Martin Jansa 2015-05-25 0:54 ` Rongqing Li 0 siblings, 1 reply; 2+ messages in thread From: Martin Jansa @ 2015-05-22 11:46 UTC (permalink / raw) To: openembedded-devel; +Cc: openembedded-commits On Fri, May 01, 2015 at 06:40:23AM +0000, git@git.openembedded.org wrote: > Module: openembedded-core.git > Branch: master > Commit: 4a65944b89a76f18c8ff6e148f17508882d387cf > URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=4a65944b89a76f18c8ff6e148f17508882d387cf > > Author: Roy Li <rongqing.li@windriver.com> > Date: Tue Apr 28 14:22:54 2015 +0800 > > elfutils: Security Advisory - CVE-2015-0255 So is it CVE-2015-0255 or CVE-2014-9447 like the link bellow says? :/ CVE-2015-0255 is "X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request." > > Directory traversal vulnerability in the read_long_names function in > libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers > to write to arbitrary files to the root directory via a / (slash) in a > crafted archive, as demonstrated using the ar program. > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 > > Signed-off-by: Roy Li <rongqing.li@windriver.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > > --- > > ...f-Fix-dir-traversal-vuln-in-ar-extraction.patch | 59 ++++++++++++++++++++++ > meta/recipes-devtools/elfutils/elfutils_0.161.bb | 1 + > 2 files changed, 60 insertions(+) > > diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch > new file mode 100644 > index 0000000..7e4e492 > --- /dev/null > +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch > @@ -0,0 +1,59 @@ > +From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 > +From: Alexander Cherepanov <cherepan@mccme.ru> > +Date: Sun, 28 Dec 2014 19:57:19 +0300 > +Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. > + > +Upstream-Status: Backport > + > +read_long_names terminates names at the first '/' found but then skips > +one character without checking (it's supposed to be '\n'). Hence the > +next name could start with any character including '/'. This leads to > +a directory traversal vulnerability at the time the contents of the > +archive is extracted. > + > +The danger is mitigated by the fact that only one '/' is possible in a > +resulting filename and only in the leading position. Hence only files > +in the root directory can be written via this vuln and only when ar is > +executed as root. > + > +The fix for the vuln is to not skip any characters while looking > +for '/'. > + > +Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> > +--- > + libelf/ChangeLog | 5 +++++ > + libelf/elf_begin.c | 5 +---- > + 2 files changed, 6 insertions(+), 4 deletions(-) > + > +diff --git a/libelf/ChangeLog b/libelf/ChangeLog > +index 3b88d03..447c354 100644 > +--- a/libelf/ChangeLog > ++++ b/libelf/ChangeLog > +@@ -1,3 +1,8 @@ > ++2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> > ++ > ++ * elf_begin.c (read_long_names): Don't miss '/' right after > ++ another '/'. Fixes a dir traversal vuln in ar extraction. > ++ > + 2014-12-18 Ulrich Drepper <drepper@gmail.com> > + > + * Makefile.am: Suppress output of textrel_check command. > +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c > +index 30abe0b..cd3756c 100644 > +--- a/libelf/elf_begin.c > ++++ b/libelf/elf_begin.c > +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) > + } > + > + /* NUL-terminate the string. */ > +- *runp = '\0'; > +- > +- /* Skip the NUL byte and the \012. */ > +- runp += 2; > ++ *runp++ = '\0'; > + > + /* A sanity check. Somebody might have generated invalid > + archive. */ > +-- > +1.9.1 > + > diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb > index 0dbe9f9..e111b34 100644 > --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb > +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb > @@ -16,6 +16,7 @@ SRC_URI += "\ > file://Fix_elf_cvt_gunhash.patch \ > file://fixheadercheck.patch \ > file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ > + file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \ > " > > # pick the patch from debian > > -- > _______________________________________________ > Openembedded-commits mailing list > Openembedded-commits@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-commits -- Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [oe-commits] Roy Li : elfutils: Security Advisory - CVE-2015-0255 2015-05-22 11:46 ` [oe-commits] Roy Li : elfutils: Security Advisory - CVE-2015-0255 Martin Jansa @ 2015-05-25 0:54 ` Rongqing Li 0 siblings, 0 replies; 2+ messages in thread From: Rongqing Li @ 2015-05-25 0:54 UTC (permalink / raw) To: openembedded-devel; +Cc: openembedded-commits On 2015年05月22日 19:46, Martin Jansa wrote: > On Fri, May 01, 2015 at 06:40:23AM +0000, git@git.openembedded.org wrote: >> Module: openembedded-core.git >> Branch: master >> Commit: 4a65944b89a76f18c8ff6e148f17508882d387cf >> URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=4a65944b89a76f18c8ff6e148f17508882d387cf >> >> Author: Roy Li <rongqing.li@windriver.com> >> Date: Tue Apr 28 14:22:54 2015 +0800 >> >> elfutils: Security Advisory - CVE-2015-0255 > > So is it CVE-2015-0255 or CVE-2014-9447 like the link bellow says? > sorry, the title is wrong, it should be CVE-2014-9447 -Roy > :/ > > CVE-2015-0255 is "X.Org Server (aka xserver and xorg-server) before > 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain > sensitive information from process memory or cause a denial of service > (crash) via a crafted string length value in a XkbSetGeometry request." > > >> >> Directory traversal vulnerability in the read_long_names function in >> libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers >> to write to arbitrary files to the root directory via a / (slash) in a >> crafted archive, as demonstrated using the ar program. >> >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 >> >> Signed-off-by: Roy Li <rongqing.li@windriver.com> >> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> >> >> --- >> >> ...f-Fix-dir-traversal-vuln-in-ar-extraction.patch | 59 ++++++++++++++++++++++ >> meta/recipes-devtools/elfutils/elfutils_0.161.bb | 1 + >> 2 files changed, 60 insertions(+) >> >> diff --git a/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch >> new file mode 100644 >> index 0000000..7e4e492 >> --- /dev/null >> +++ b/meta/recipes-devtools/elfutils/elfutils-0.161/0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch >> @@ -0,0 +1,59 @@ >> +From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 >> +From: Alexander Cherepanov <cherepan@mccme.ru> >> +Date: Sun, 28 Dec 2014 19:57:19 +0300 >> +Subject: [PATCH] libelf: Fix dir traversal vuln in ar extraction. >> + >> +Upstream-Status: Backport >> + >> +read_long_names terminates names at the first '/' found but then skips >> +one character without checking (it's supposed to be '\n'). Hence the >> +next name could start with any character including '/'. This leads to >> +a directory traversal vulnerability at the time the contents of the >> +archive is extracted. >> + >> +The danger is mitigated by the fact that only one '/' is possible in a >> +resulting filename and only in the leading position. Hence only files >> +in the root directory can be written via this vuln and only when ar is >> +executed as root. >> + >> +The fix for the vuln is to not skip any characters while looking >> +for '/'. >> + >> +Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru> >> +--- >> + libelf/ChangeLog | 5 +++++ >> + libelf/elf_begin.c | 5 +---- >> + 2 files changed, 6 insertions(+), 4 deletions(-) >> + >> +diff --git a/libelf/ChangeLog b/libelf/ChangeLog >> +index 3b88d03..447c354 100644 >> +--- a/libelf/ChangeLog >> ++++ b/libelf/ChangeLog >> +@@ -1,3 +1,8 @@ >> ++2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> >> ++ >> ++ * elf_begin.c (read_long_names): Don't miss '/' right after >> ++ another '/'. Fixes a dir traversal vuln in ar extraction. >> ++ >> + 2014-12-18 Ulrich Drepper <drepper@gmail.com> >> + >> + * Makefile.am: Suppress output of textrel_check command. >> +diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c >> +index 30abe0b..cd3756c 100644 >> +--- a/libelf/elf_begin.c >> ++++ b/libelf/elf_begin.c >> +@@ -749,10 +749,7 @@ read_long_names (Elf *elf) >> + } >> + >> + /* NUL-terminate the string. */ >> +- *runp = '\0'; >> +- >> +- /* Skip the NUL byte and the \012. */ >> +- runp += 2; >> ++ *runp++ = '\0'; >> + >> + /* A sanity check. Somebody might have generated invalid >> + archive. */ >> +-- >> +1.9.1 >> + >> diff --git a/meta/recipes-devtools/elfutils/elfutils_0.161.bb b/meta/recipes-devtools/elfutils/elfutils_0.161.bb >> index 0dbe9f9..e111b34 100644 >> --- a/meta/recipes-devtools/elfutils/elfutils_0.161.bb >> +++ b/meta/recipes-devtools/elfutils/elfutils_0.161.bb >> @@ -16,6 +16,7 @@ SRC_URI += "\ >> file://Fix_elf_cvt_gunhash.patch \ >> file://fixheadercheck.patch \ >> file://0001-elf_getarsym-Silence-Werror-maybe-uninitialized-fals.patch \ >> + file://0001-libelf-Fix-dir-traversal-vuln-in-ar-extraction.patch \ >> " >> >> # pick the patch from debian >> >> -- >> _______________________________________________ >> Openembedded-commits mailing list >> Openembedded-commits@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-commits > -- Best Reagrds, Roy | RongQing Li ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-25 0:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20150501064023.6E7B950467@opal.openembedded.org>
2015-05-22 11:46 ` [oe-commits] Roy Li : elfutils: Security Advisory - CVE-2015-0255 Martin Jansa
2015-05-25 0:54 ` Rongqing Li
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.