[security-announce] elfutils: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Mar 3 14:14:03 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

               Enea Linux Security Advisory

=========================================================
Product/package: elfutils: 0.155
Severity: Low
Issue date: 2015-03-03
CVE Name: CVE-2014-9447 directory traversal in read_long_names()
=========================================================
A security patch that fixes a directory traversal vulnerability
in elfutils is now available at http://linux.enea.com/4.0/patches:

README file: 0050-elfutils-0.155-CVE-2014-9447.README
Patch file: 0050-elfutils-0.155-CVE-2014-9447.patch

Description
===========
Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers
to write to arbitrary files to the root directory via a / (slash) in a
crafted archive, as demonstrated using the ar program.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget
http://linux.enea.com/4.0/patches/0050-elfutils-0.155-CVE-2014-9447.patch
patch -p1 < ./0050-elfutils-0.155-CVE-2014-9447.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU9bObAAoJEHc+9u9ocWoUVq8P/j2qVUw/pJwLlpYfuSTD6k0v
6SNSgU5Rfrmx0npBIluy7hiYw8/GK1wNURCj6JMQObvawHHM6yuza/LftvGJb1dY
RckuIAOZobPWHmZyBqcC19mlaWKwvwCLTVbUNPgLhss6j76Wk1eb8SlSAVb5dMN0
/xtrN4mbXWnRQxoTFmbkASZ5arJNPSLBrxUNx0B+YaG02eYi1E0JU9f73SrYGrBz
qDKe453O+7wFgtqlK8Q4Bl7BlbNGzg+GPxmKE5dewL84zBJpO+ISDu0EflIOMy+I
hPoo5vPSLoy2mFtTzfvBCX8hoVZQkt/z6fBMhnrXD5EltZICUBkuU71d3YkgAYar
gGZZP3BwFVxH7kCLCl8VmKxtFnacvWaDNtOlh2lKAH2C7sqImd9t8+LzjsH7qm5G
nDaVopAIiRz7fVyfRcjmPQlw1D+hVIcWTPVjbWJio2ZV1IkupSWhSmBMKwDlLRh8
3V+UXrji4E8cfTHliGNWJMgGtgA7fBdCnJDDIRLkjHmEkWO4n+ZRV1M3s3ywzSwc
oT6LjlgPEVTtW/k8vM2VKFShitsHauONe1eOPnwL6AYs1cyCeiULlT6rd4hy87H0
Nks8A2bGlWH00m3ogsFcKQzAJZTFL5TCxLiJjFZ80n7J9lc6YCiseS22DLy3mzt+
9bj/A0gpbX8rvPsVnft6
=1aoL
-----END PGP SIGNATURE-----



More information about the security-announce mailing list