touch-packages team mailing list archive

Thread
Date

[Bug 1414206] Re: elfutils in Vivid is vulnerable to CVE-2014-9447

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Fri, 23 Jan 2015 22:27:20 -0000
Reply-to: Bug 1414206 <1414206@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I forgot to reference this bug in the changelog of the previously
attached debdiff. Here's a debdiff that references this bug.

** Patch added: "elfutils_0.160-0ubuntu3.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+attachment/4304581/+files/elfutils_0.160-0ubuntu3.debdiff

** Patch removed: "elfutils_0.160-0ubuntu3.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+attachment/4304563/+files/elfutils_0.160-0ubuntu3.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to elfutils in Ubuntu.
https://bugs.launchpad.net/bugs/1414206

Title:
  elfutils in Vivid is vulnerable to CVE-2014-9447

Status in elfutils package in Ubuntu:
  Confirmed

Bug description:
  elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
  released updates for the stable Ubuntu releases but need a sponsor for
  uploading to Vivid.

  The vulnerability involves crafted ar archives causing a directory
  traversal attack. Files in the root directory can be written if a
  process, with write access to the root directory, uses libelf1 to
  extract a malicious ar archive.

  More info can be found in our CVE tracker:

    http://people.canonical.com/~ubuntu-
  security/cve/2014/CVE-2014-9447.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions

References

[Bug 1414206] [NEW] elfutils in Vivid is vulnerable to CVE-2014-9447
From: Tyler Hicks, 2015-01-23