touch-packages team mailing list archive

Thread
Date

[Bug 1414206] Re: elfutils in Vivid is vulnerable to CVE-2014-9447

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Dmitry Shachnev <mitya57@xxxxxxxxx>
Date: Mon, 26 Jan 2015 09:00:47 -0000
Reply-to: Bug 1414206 <1414206@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to elfutils in Ubuntu.
https://bugs.launchpad.net/bugs/1414206

Title:
  elfutils in Vivid is vulnerable to CVE-2014-9447

Status in elfutils package in Ubuntu:
  Confirmed

Bug description:
  elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
  released updates for the stable Ubuntu releases but need a sponsor for
  uploading to Vivid.

  The vulnerability involves crafted ar archives causing a directory
  traversal attack. Files in the root directory can be written if a
  process, with write access to the root directory, uses libelf1 to
  extract a malicious ar archive.

  More info can be found in our CVE tracker:

    http://people.canonical.com/~ubuntu-
  security/cve/2014/CVE-2014-9447.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions

References

[Bug 1414206] [NEW] elfutils in Vivid is vulnerable to CVE-2014-9447
From: Tyler Hicks, 2015-01-23