Bugzilla – Bug 911662
VUL-0: CVE-2014-9447: elfutils: Directory traversal vulnerability in the read_long_names function inlibelf/elf_begin.c in elfutils ...
Last modified: 2021-11-03 15:39:28 UTC
CVE-2014-9447 Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447 http://www.openwall.com/lists/oss-security/2014/12/29/2 https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.html https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e http://www.securityfocus.com/bid/71804 http://secunia.com/advisories/61934
bugbot adjusting priority
Checked in for factory (0.161). Looks like pretty much all versions are impacted.
Also, for elfutils this impacts eu-ar. It appears the system ar (binutils) is also vulnerable. Is this being handled independently? # printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a # /usr/bin/ar tv test.a --------- 0/0 0 Dec 31 16:00 1969 /file # ls /file ls: cannot access /file: No such file or directory # /usr/bin/ar xv test.a x - /file # ls -l /file ---------- 1 root root 0 Jan 7 14:10 /file # touch /file # /usr/bin/ar q test2.a /file /usr/bin/ar: creating test2.a # /usr/bin/ar tv test2.a --------- 0/0 0 Jan 7 14:08 2015 file # rm /file # ls /file ls: cannot access /file: No such file or directory # /usr/bin/ar xv test2.a x - file # ls /file # ls ./file ./file
Submitted for opensuse 13.1 and opensuse 13.2 (mr# 280246)
This is an autogenerated message for OBS integration: This bug (911662) was mentioned in https://build.opensuse.org/request/show/280246 13.2+13.1 / elfutils
(In reply to Tony Jones from comment #4) > Submitted for opensuse 13.1 and opensuse 13.2 (mr# 280246) resubmitted for opensuse 13.1/13.2 as mr 280635
openSUSE-SU-2015:0123-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 911662 CVE References: CVE-2014-9447 Sources used: openSUSE 13.2 (src): elfutils-0.158-4.5.1 openSUSE 13.1 (src): elfutils-0.155-6.8.1
SUSE:SLE-12:Update - sr 49262
SUSE-SU-2015:0292-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 911662 CVE References: CVE-2014-9447 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): elfutils-0.158-6.1 SUSE Linux Enterprise Server 12 (src): elfutils-0.158-6.1 SUSE Linux Enterprise Desktop 12 (src): elfutils-0.158-6.1
osc sr SUSE:SLE-11-SP1:Update:Test created request id 51758
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60709
released
SUSE-SU-2015:0434-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 911662 CVE References: CVE-2014-9447 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): elfutils-0.152-4.9.17 SUSE Linux Enterprise Server 11 SP3 for VMware (src): elfutils-0.152-4.9.17 SUSE Linux Enterprise Server 11 SP3 (src): elfutils-0.152-4.9.17 SUSE Linux Enterprise Desktop 11 SP3 (src): elfutils-0.152-4.9.17
This is an autogenerated message for OBS integration: This bug (911662) was mentioned in https://build.opensuse.org/request/show/676940 Factory / elfutils