touch-packages team mailing list archive

Thread
Date

[Bug 1414206] Re: elfutils in Vivid is vulnerable to CVE-2014-9447

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1414206@xxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Jan 2015 09:55:43 -0000
Reply-to: Bug 1414206 <1414206@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package elfutils - 0.160-0ubuntu3

---------------
elfutils (0.160-0ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: Directory traversal via crafted ar archive (LP: #1414206)
    - debian/patches/CVE-2014-9447.patch: Prevent root directory traversal
      while extracting ar archives
    - CVE-2014-9447
 -- Tyler Hicks <tyhicks@xxxxxxxxxxxxx>   Fri, 23 Jan 2015 16:24:20 -0600

** Changed in: elfutils (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9447

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to elfutils in Ubuntu.
https://bugs.launchpad.net/bugs/1414206

Title:
  elfutils in Vivid is vulnerable to CVE-2014-9447

Status in elfutils package in Ubuntu:
  Fix Released

Bug description:
  elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
  released updates for the stable Ubuntu releases but need a sponsor for
  uploading to Vivid.

  The vulnerability involves crafted ar archives causing a directory
  traversal attack. Files in the root directory can be written if a
  process, with write access to the root directory, uses libelf1 to
  extract a malicious ar archive.

  More info can be found in our CVE tracker:

    http://people.canonical.com/~ubuntu-
  security/cve/2014/CVE-2014-9447.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions

References

[Bug 1414206] [NEW] elfutils in Vivid is vulnerable to CVE-2014-9447
From: Tyler Hicks, 2015-01-23