Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#44020 - [lib32-elfutils] CVE-2014-9447: directory traversal

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Monday, 02 March 2015, 16:59 GMT
Last edited by Laurent Carlier (lordheavy) - Monday, 02 March 2015, 21:06 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Laurent Carlier (lordheavy)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


It has been reported [0] that elfutils <= 0.161 is vulnerable to directory traversal tracked as CVE-2014-9447 [1].

This allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

A patch has been applied upstream [2], as no new release seems to be planned in the very near future I recommend to apply this patch onto 0.161.
I have attached a PKGBUILD patch for convenience.

This task depends upon

Closed by  Laurent Carlier (lordheavy)
Monday, 02 March 2015, 21:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  lib32-elfutils-0.161-2