touch-packages team mailing list archive

[Tyler Hicks <tyhicks@xxxxxxxxxxxxx>]

Public bug reported:

elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
released updates for the stable Ubuntu releases but need a sponsor for
uploading to Vivid.

The vulnerability involves crafted ar archives causing a directory
traversal attack. Files in the root directory can be written if a
process, with write access to the root directory, uses libelf1 to
extract a malicious ar archive.

More info can be found in our CVE tracker:

  http://people.canonical.com/~ubuntu-
security/cve/2014/CVE-2014-9447.html

** Affects: elfutils (Ubuntu)
     Importance: Medium
         Status: Confirmed

** Patch added: "elfutils_0.160-0ubuntu3.debdiff"
   https://bugs.launchpad.net/bugs/1414206/+attachment/4304563/+files/elfutils_0.160-0ubuntu3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to elfutils in Ubuntu.
https://bugs.launchpad.net/bugs/1414206

Title:
  elfutils in Vivid is vulnerable to CVE-2014-9447

Status in elfutils package in Ubuntu:
  Confirmed

Bug description:
  elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
  released updates for the stable Ubuntu releases but need a sponsor for
  uploading to Vivid.

  The vulnerability involves crafted ar archives causing a directory
  traversal attack. Files in the root directory can be written if a
  process, with write access to the root directory, uses libelf1 to
  extract a malicious ar archive.

  More info can be found in our CVE tracker:

    http://people.canonical.com/~ubuntu-
  security/cve/2014/CVE-2014-9447.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions