[security-announce] elfutils 0.148: Security update

Sona Sarmadi sona.sarmadi at enea.com
Wed Mar 4 08:36:02 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 		Enea Linux Security Advisory

=========================================================
Product/package: elfutils: 0.148
Severity: Low
Issue date: 2015-03-03
CVE Name: CVE-2014-9447 directory traversal in read_long_names()
=========================================================
A security patch that fixes a directory traversal vulnerability
in elfutils is now available at http://linux.enea.com/4.0/patches:

README file: 0050-elfutils-0.148-CVE-2014-9447.README
Patch file: 0050-elfutils-0.148-CVE-2014-9447.patch

Description
===========
Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers
to write to arbitrary files to the root directory via a / (slash) in a
crafted archive, as demonstrated using the ar program.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget
http://linux.enea.com/4.0/patches/0050-elfutils-0.148-CVE-2014-9447.patch
patch -p1 < ./0050-elfutils-0.148-CVE-2014-9447.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU9rXhAAoJEHc+9u9ocWoUMM4P/iVJNTd76JATNYwTHWtKew9h
3ITg//wgJcMZAG+ZfjUoJz4b7bMo/WgVhI3cAbE3oB2f+yF51Bq+AuUmzBabQxH4
lXLMRll77xBFZfzM9UomPXleU/l3NnQ8VHqcgnaldPXVGpc+50z5gVQX2RtidiTu
cF72RJqaos4C0QZKCnq5BLjuV38cjrJF//GWPKQpNu4dl0UG16ayWGy+/iJJhHWV
pxXZSgqJa0RJjBo8oK1V8jzT57dh2kDH67VIRTw3YfGJ3BUKauSTKxePtsl154sB
n/Yx3cIw8IAOaSoYjuG2mbsmpb/8u2MMi7V9QdnP3qprTB2MFae91jxlAD1eTECo
hWud6vKu1WM5yLLZqda7G/xOR66LM5QbKP78ZmRLBVxJc1n+ZqzE0wBije2EANRc
Syd/pwCE85z8QPYVsoIfzGcIFkqPjebXNPvvrSt5rwF917z3nIiIMXFrRS+0JmUI
OUoXMI8N3EZBJaoEprcvUDd+xd5zkIqRznXPem3GsSLFqukI1DZvzH1J468l7WuX
gPr7q3i/pPNivsf/o4rvdobJVvsB+PbMIX9X3ebfL6rUgW6TGM8Y6/RCEpehZECd
/PdMGQ8wgP5/5skbFrPw8ZqP3JqcbJ61sGdor3AJz7IVg1vYNHD6iNpfnxRrumET
IXZz3djW2q7MKRJCJqhX
=CDeS
-----END PGP SIGNATURE-----



More information about the security-announce mailing list