Bug 15085

Summary: elfutils new security issue CVE-2014-9447
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/629996/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: elfutils-0.157-3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-19 18:49:18 CET 
Fedora has issued an advisory on January 14:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148321.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated elfutils packages fix security vulnerability:

Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils allows remote attackers to write to arbitrary
files to the root directory via a / (slash) in a crafted archive, as
demonstrated using the ar program (CVE-2014-9447).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148321.html
========================

Updated packages in core/updates_testing:
========================
elfutils-0.157-3.2.mga4
libelfutils-devel-0.157-3.2.mga4
libelfutils-static-devel-0.157-3.2.mga4
libelfutils1-0.157-3.2.mga4

from elfutils-0.157-3.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2015-01-19 20:29:29 CET 
Testing MGA4 x64 real hardware.

Apart from installing/updating elfutils without any consequent aggro, is there anything more one can do to test this update? The references in Description yield nothing definite.

CC: (none) => lewyssmith

Comment 2 David Walser 2015-01-19 21:02:04 CET 
(In reply to Lewis Smith from comment #1)
> Testing MGA4 x64 real hardware.
> 
> Apart from installing/updating elfutils without any consequent aggro, is
> there anything more one can do to test this update? The references in
> Description yield nothing definite.

Sure they do.  Clicking through the Fedora advisory to the RedHat bug yields this link:
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.html

with a PoC.

Bad:
$ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
$ ar -xv test.a
x - /file
/file: Permission denied

Good:
$ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
ar: illegal pathname found in archive member: /file
Comment 3 David Walser 2015-01-19 21:05:14 CET 
Apologies, we've already fixed this issue in "ar" in binutils.

elfutils contains "eu-ar"

Bad:
$ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
$ eu-ar -xv test.a
x - /file
eu-ar: cannot rename temporary file to : Invalid cross-device link

Good:
$ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
$ eu-ar -xv test.a
x - 
eu-ar: cannot rename temporary file to : No such file or directory

Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 claire robinson 2015-01-19 21:12:03 CET 
Can also try some of the other commands from..

$ urpmf elfutils | grep bin
elfutils:/usr/bin/eu-addr2line
elfutils:/usr/bin/eu-ar
elfutils:/usr/bin/eu-elfcmp
elfutils:/usr/bin/eu-elflint
elfutils:/usr/bin/eu-findtextrel
elfutils:/usr/bin/eu-make-debug-archive
elfutils:/usr/bin/eu-nm
elfutils:/usr/bin/eu-objdump
elfutils:/usr/bin/eu-ranlib
elfutils:/usr/bin/eu-readelf
elfutils:/usr/bin/eu-size
elfutils:/usr/bin/eu-strings
elfutils:/usr/bin/eu-strip
elfutils:/usr/bin/eu-unstrip
Comment 5 Lewis Smith 2015-01-20 09:53:13 CET 
(In reply to David Walser from comment #2)
> (In reply to Lewis Smith from comment #1)
> > Testing MGA4 x64 real hardware.
> > Apart from installing/updating elfutils without any consequent aggro, is
> > there anything more one can do to test this update? The references in
> > Description yield nothing definite.
> Sure they do.  Clicking through the Fedora advisory to the RedHat bug yields
> this link:
> https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.
> html
> with a PoC.
Ah. This is an HTTPS browser problem, that I have hit elsewhere. I routinely use Opera because it is also my e-mail client (& does IRC). All the bug Fedora links got bounced, so I could not follow them. Having to use Firefox (again).
But thanks for the details.

Reverting to the pre-update elfutils pkgs (0.157-3.1), following the test given in Comment *3* gives a slightly different 'bad' result:
 $ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a
 $ eu-ar -xv test.a
 x - /file
 eu-ar: cannot rename temporary file to : Permission denied

Updating from Updates Testing to:
 elfutils-0.157-3.2.mga4
 lib64elfutils1-0.157-3.2.mga4
yields the 'good' result from Comment 3:-
 $ eu-ar -xv test.a
 x - 
 eu-ar: cannot rename temporary file to : No such file or directory

For the suggestions in Comment 4: first, no man entries. Do <command> -? or <command> --help. From /usr/bin I tried a few on selected files, but cannot judge the output.

So I am OKing this, but David had better check this comment for the pre-update 'bad' result.

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 6 David Walser 2015-01-20 12:20:34 CET 
Yes it's fine, you just ran your test in a different directory than I did.  I ran mine on /tmp, which is a different filesystem than /, so it gives an error about not being able to create a hardlink that crosses filesystem bounds.  You ran yours on the / filesystem so it just gives permission denied because you're not root.
Comment 7 claire robinson 2015-01-20 15:44:11 CET 
Well done Lewis. 

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-01-20 15:58:10 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0033.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED