FS#44020 - [lib32-elfutils] CVE-2014-9447: directory traversal

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Monday, 02 March 2015, 16:59 GMT
Last edited by Laurent Carlier (lordheavy) - Monday, 02 March 2015, 21:06 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Laurent Carlier (lordheavy)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


It has been reported [0] that elfutils <= 0.161 is vulnerable to directory traversal tracked as CVE-2014-9447 [1].

This allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

A patch has been applied upstream [2], as no new release seems to be planned in the very near future I recommend to apply this patch onto 0.161.
I have attached a PKGBUILD patch for convenience.

[0] https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.html
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447
[2] https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
This task depends upon

Closed by  Laurent Carlier (lordheavy)
Monday, 02 March 2015, 21:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  lib32-elfutils-0.161-2