rpms / elfutils

Clone
Source Code
GIT

Blame elfutils-0.161-ar-long-name.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 master
  1.   f1c9e8f4587f8870ddf88cb873f895ce32b898a3
  2.   elfutils-0.161-ar-long-name.patch
Blob History Raw
Mark Wielaard f1c9e8f 
commit 147018e729e7c22eeabf15b82d26e4bf68a0d18e
Mark Wielaard f1c9e8f 
Author: Alexander Cherepanov <cherepan@mccme.ru>
Mark Wielaard f1c9e8f 
Date:   Sun Dec 28 19:57:19 2014 +0300
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
    libelf: Fix dir traversal vuln in ar extraction.
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
    read_long_names terminates names at the first '/' found but then skips
Mark Wielaard f1c9e8f 
    one character without checking (it's supposed to be '\n'). Hence the
Mark Wielaard f1c9e8f 
    next name could start with any character including '/'. This leads to
Mark Wielaard f1c9e8f 
    a directory traversal vulnerability at the time the contents of the
Mark Wielaard f1c9e8f 
    archive is extracted.
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
    The danger is mitigated by the fact that only one '/' is possible in a
Mark Wielaard f1c9e8f 
    resulting filename and only in the leading position. Hence only files
Mark Wielaard f1c9e8f 
    in the root directory can be written via this vuln and only when ar is
Mark Wielaard f1c9e8f 
    executed as root.
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
    The fix for the vuln is to not skip any characters while looking
Mark Wielaard f1c9e8f 
    for '/'.
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
    Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
Mark Wielaard f1c9e8f 
index 3b88d03..447c354 100644
Mark Wielaard f1c9e8f 
--- a/libelf/ChangeLog
Mark Wielaard f1c9e8f 
+++ b/libelf/ChangeLog
Mark Wielaard f1c9e8f 
@@ -1,3 +1,8 @@
Mark Wielaard f1c9e8f 
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
Mark Wielaard f1c9e8f 
+
Mark Wielaard f1c9e8f 
+	* elf_begin.c (read_long_names): Don't miss '/' right after
Mark Wielaard f1c9e8f 
+	another '/'. Fixes a dir traversal vuln in ar extraction.
Mark Wielaard f1c9e8f 
+
Mark Wielaard f1c9e8f 
 2014-12-18  Ulrich Drepper  <drepper@gmail.com>
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
 	* Makefile.am: Suppress output of textrel_check command.
Mark Wielaard f1c9e8f 
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
Mark Wielaard f1c9e8f 
index 30abe0b..cd3756c 100644
Mark Wielaard f1c9e8f 
--- a/libelf/elf_begin.c
Mark Wielaard f1c9e8f 
+++ b/libelf/elf_begin.c
Mark Wielaard f1c9e8f 
@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
Mark Wielaard f1c9e8f 
 	    }
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
 	  /* NUL-terminate the string.  */
Mark Wielaard f1c9e8f 
-	  *runp = '\0';
Mark Wielaard f1c9e8f 
-
Mark Wielaard f1c9e8f 
-	  /* Skip the NUL byte and the \012.  */
Mark Wielaard f1c9e8f 
-	  runp += 2;
Mark Wielaard f1c9e8f 
+	  *runp++ = '\0';
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f 
 	  /* A sanity check.  Somebody might have generated invalid
Mark Wielaard f1c9e8f 
 	     archive.  */
Powered by Pagure 5.11.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.