Fedora has issued an advisory on January 14: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148321.html Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated elfutils packages fix security vulnerability: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program (CVE-2014-9447). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148321.html ======================== Updated packages in core/updates_testing: ======================== elfutils-0.157-3.2.mga4 libelfutils-devel-0.157-3.2.mga4 libelfutils-static-devel-0.157-3.2.mga4 libelfutils1-0.157-3.2.mga4 from elfutils-0.157-3.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing MGA4 x64 real hardware. Apart from installing/updating elfutils without any consequent aggro, is there anything more one can do to test this update? The references in Description yield nothing definite.
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #1) > Testing MGA4 x64 real hardware. > > Apart from installing/updating elfutils without any consequent aggro, is > there anything more one can do to test this update? The references in > Description yield nothing definite. Sure they do. Clicking through the Fedora advisory to the RedHat bug yields this link: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.html with a PoC. Bad: $ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a $ ar -xv test.a x - /file /file: Permission denied Good: $ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a ar: illegal pathname found in archive member: /file
Apologies, we've already fixed this issue in "ar" in binutils. elfutils contains "eu-ar" Bad: $ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a $ eu-ar -xv test.a x - /file eu-ar: cannot rename temporary file to : Invalid cross-device link Good: $ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a $ eu-ar -xv test.a x - eu-ar: cannot rename temporary file to : No such file or directory Testing complete Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Can also try some of the other commands from.. $ urpmf elfutils | grep bin elfutils:/usr/bin/eu-addr2line elfutils:/usr/bin/eu-ar elfutils:/usr/bin/eu-elfcmp elfutils:/usr/bin/eu-elflint elfutils:/usr/bin/eu-findtextrel elfutils:/usr/bin/eu-make-debug-archive elfutils:/usr/bin/eu-nm elfutils:/usr/bin/eu-objdump elfutils:/usr/bin/eu-ranlib elfutils:/usr/bin/eu-readelf elfutils:/usr/bin/eu-size elfutils:/usr/bin/eu-strings elfutils:/usr/bin/eu-strip elfutils:/usr/bin/eu-unstrip
(In reply to David Walser from comment #2) > (In reply to Lewis Smith from comment #1) > > Testing MGA4 x64 real hardware. > > Apart from installing/updating elfutils without any consequent aggro, is > > there anything more one can do to test this update? The references in > > Description yield nothing definite. > Sure they do. Clicking through the Fedora advisory to the RedHat bug yields > this link: > https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499. > html > with a PoC. Ah. This is an HTTPS browser problem, that I have hit elsewhere. I routinely use Opera because it is also my e-mail client (& does IRC). All the bug Fedora links got bounced, so I could not follow them. Having to use Firefox (again). But thanks for the details. Reverting to the pre-update elfutils pkgs (0.157-3.1), following the test given in Comment *3* gives a slightly different 'bad' result: $ printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a $ eu-ar -xv test.a x - /file eu-ar: cannot rename temporary file to : Permission denied Updating from Updates Testing to: elfutils-0.157-3.2.mga4 lib64elfutils1-0.157-3.2.mga4 yields the 'good' result from Comment 3:- $ eu-ar -xv test.a x - eu-ar: cannot rename temporary file to : No such file or directory For the suggestions in Comment 4: first, no man entries. Do <command> -? or <command> --help. From /usr/bin I tried a few on selected files, but cannot judge the output. So I am OKing this, but David had better check this comment for the pre-update 'bad' result.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Yes it's fine, you just ran your test in a different directory than I did. I ran mine on /tmp, which is a different filesystem than /, so it gives an error about not being able to create a hardlink that crosses filesystem bounds. You ran yours on the / filesystem so it just gives permission denied because you're not root.
Well done Lewis. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0033.html
Status: NEW => RESOLVEDResolution: (none) => FIXED