Mark Wielaard f1c9e8f
commit 147018e729e7c22eeabf15b82d26e4bf68a0d18e
Mark Wielaard f1c9e8f
Author: Alexander Cherepanov <cherepan@mccme.ru>
Mark Wielaard f1c9e8f
Date:   Sun Dec 28 19:57:19 2014 +0300
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f
    libelf: Fix dir traversal vuln in ar extraction.
Mark Wielaard f1c9e8f
    
Mark Wielaard f1c9e8f
    read_long_names terminates names at the first '/' found but then skips
Mark Wielaard f1c9e8f
    one character without checking (it's supposed to be '\n'). Hence the
Mark Wielaard f1c9e8f
    next name could start with any character including '/'. This leads to
Mark Wielaard f1c9e8f
    a directory traversal vulnerability at the time the contents of the
Mark Wielaard f1c9e8f
    archive is extracted.
Mark Wielaard f1c9e8f
    
Mark Wielaard f1c9e8f
    The danger is mitigated by the fact that only one '/' is possible in a
Mark Wielaard f1c9e8f
    resulting filename and only in the leading position. Hence only files
Mark Wielaard f1c9e8f
    in the root directory can be written via this vuln and only when ar is
Mark Wielaard f1c9e8f
    executed as root.
Mark Wielaard f1c9e8f
    
Mark Wielaard f1c9e8f
    The fix for the vuln is to not skip any characters while looking
Mark Wielaard f1c9e8f
    for '/'.
Mark Wielaard f1c9e8f
    
Mark Wielaard f1c9e8f
    Signed-off-by: Alexander Cherepanov <cherepan@mccme.ru>
Mark Wielaard f1c9e8f
Mark Wielaard f1c9e8f
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
Mark Wielaard f1c9e8f
index 3b88d03..447c354 100644
Mark Wielaard f1c9e8f
--- a/libelf/ChangeLog
Mark Wielaard f1c9e8f
+++ b/libelf/ChangeLog
Mark Wielaard f1c9e8f
@@ -1,3 +1,8 @@
Mark Wielaard f1c9e8f
+2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
Mark Wielaard f1c9e8f
+
Mark Wielaard f1c9e8f
+	* elf_begin.c (read_long_names): Don't miss '/' right after
Mark Wielaard f1c9e8f
+	another '/'. Fixes a dir traversal vuln in ar extraction.
Mark Wielaard f1c9e8f
+
Mark Wielaard f1c9e8f
 2014-12-18  Ulrich Drepper  <drepper@gmail.com>
Mark Wielaard f1c9e8f
 
Mark Wielaard f1c9e8f
 	* Makefile.am: Suppress output of textrel_check command.
Mark Wielaard f1c9e8f
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
Mark Wielaard f1c9e8f
index 30abe0b..cd3756c 100644
Mark Wielaard f1c9e8f
--- a/libelf/elf_begin.c
Mark Wielaard f1c9e8f
+++ b/libelf/elf_begin.c
Mark Wielaard f1c9e8f
@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
Mark Wielaard f1c9e8f
 	    }
Mark Wielaard f1c9e8f
 
Mark Wielaard f1c9e8f
 	  /* NUL-terminate the string.  */
Mark Wielaard f1c9e8f
-	  *runp = '\0';
Mark Wielaard f1c9e8f
-
Mark Wielaard f1c9e8f
-	  /* Skip the NUL byte and the \012.  */
Mark Wielaard f1c9e8f
-	  runp += 2;
Mark Wielaard f1c9e8f
+	  *runp++ = '\0';
Mark Wielaard f1c9e8f
 
Mark Wielaard f1c9e8f
 	  /* A sanity check.  Somebody might have generated invalid
Mark Wielaard f1c9e8f
 	     archive.  */