Ubuntu
elfutils package

elfutils in Vivid is vulnerable to CVE-2014-9447

Bug #1414206 reported by Tyler Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
elfutils (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've released updates for the stable Ubuntu releases but need a sponsor for uploading to Vivid.

The vulnerability involves crafted ar archives causing a directory traversal attack. Files in the root directory can be written if a process, with write access to the root directory, uses libelf1 to extract a malicious ar archive.

More info can be found in our CVE tracker:

  http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9447.html

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I forgot to reference this bug in the changelog of the previously attached debdiff. Here's a debdiff that references this bug.

Dmitry Shachnev (mitya57)
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package elfutils - 0.160-0ubuntu3

---------------
elfutils (0.160-0ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: Directory traversal via crafted ar archive (LP: #1414206)
    - debian/patches/CVE-2014-9447.patch: Prevent root directory traversal
      while extracting ar archives
    - CVE-2014-9447
 -- Tyler Hicks <email address hidden> Fri, 23 Jan 2015 16:24:20 -0600

Changed in elfutils (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.