[security-announce] elfutils_0.148: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri May 29 19:42:06 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: elfutils_0.148
Severity: Low
CVE Names: CVE-2014-9447
=========================================================
This security update fixes directory traversal in read_long_names()

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/5.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0013-elfutils_0.148-CVE-2014-9447.README.asc
0013-elfutils_0.148-CVE-2014-9447.patch.asc

Description
===========
Directory traversal vulnerability in the read_long_names
function in libelf/elf_begin.c in elfutils 0.152 and 0.161
allows remote attackers to write to arbitrary files to the
root directory via a / (slash) in a crafted archive, as
demonstrated using the ar program.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0013-elfutils_0.148-CVE-2014
- -9447.patch.asc
patch -p1 < ./0013-elfutils_0.148-CVE-2014-9447.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVaKTuAAoJEHc+9u9ocWoU1TAQAJz5Dnbs9nYr3v3SQLxyG9pG
xwHbCHHrBVxkCIlaG+OUoCMDtyNGHgLuuPtKLkhg5g0CYXtHF/MXeINKKSkY0snp
rvGN6Jn2lbJKpQg89Xkxx6pBWyekS6lYJ5CiGfBFTCshhmD7ulnfGR9HFzFHY1Wl
RTH3wf8mW8HhS3bl/wCd/TkA96+2s4Zae5jMzY0JLNTuHJFOgrR8vO3JbQ8bbdXA
ChoHXh7DZSJSmL8e1Utoi3SXzgrZAdOMCkEKBmsn6USO96mFcEwrXPMhfFfCdy7/
HCdinLbkIX4q37KoqxYhb0VnFy72aucEq5weTUlAbyh3j+gRnWLaiM4SlhVHKtR1
Ue0zwo9c3X5Akb3qJ18MAtTpBxU0/DTlO9GYU5ITSzgYZtg/6svIXzZ2pKxH0/+A
LhlPjrBZCfTgP6rxtZf0WBfgeLh+RP8JKuGatSIOm0LzLx4R4316+VEZQnq7ACEZ
duZ91Y6t91aaubxie1/+9Wpcl7sANJX1lvsX3N+30diLFTR4mdLSzGWn1PEn39KL
IEA9Qzh91rKAc7Zd/1eYjZKeK75xFbIeOeMQRcwYlNisZ42Bc6IwDxsk47+NdOX6
yV9afTT80vG0aGQXD27vH4KT9rUJ3JQyvKWck9kGC/i4el9qChIzLWgCtRGoRRyQ
7mJI8mj/qck6T8/qZvE4
=71Gw
-----END PGP SIGNATURE-----


More information about the security-announce mailing list