elfutils in Vivid is vulnerable to CVE-2014-9447

Bug #1414206 reported by Tyler Hicks on 2015-01-23
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
elfutils (Ubuntu)
Medium
Unassigned

Bug Description

elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've released updates for the stable Ubuntu releases but need a sponsor for uploading to Vivid.

The vulnerability involves crafted ar archives causing a directory traversal attack. Files in the root directory can be written if a process, with write access to the root directory, uses libelf1 to extract a malicious ar archive.

More info can be found in our CVE tracker:

  http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9447.html

CVE References

Tyler Hicks (tyhicks) wrote :

I forgot to reference this bug in the changelog of the previously attached debdiff. Here's a debdiff that references this bug.

information type: Public → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package elfutils - 0.160-0ubuntu3

---------------
elfutils (0.160-0ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: Directory traversal via crafted ar archive (LP: #1414206)
    - debian/patches/CVE-2014-9447.patch: Prevent root directory traversal
      while extracting ar archives
    - CVE-2014-9447
 -- Tyler Hicks <email address hidden> Fri, 23 Jan 2015 16:24:20 -0600

Changed in elfutils (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers