elfutils in Vivid is vulnerable to CVE-2014-9447
Bug #1414206 reported by
Tyler Hicks
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
elfutils (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've released updates for the stable Ubuntu releases but need a sponsor for uploading to Vivid.
The vulnerability involves crafted ar archives causing a directory traversal attack. Files in the root directory can be written if a process, with write access to the root directory, uses libelf1 to extract a malicious ar archive.
More info can be found in our CVE tracker:
http://
CVE References
information type: | Public → Public Security |
To post a comment you must log in.
I forgot to reference this bug in the changelog of the previously attached debdiff. Here's a debdiff that references this bug.