[Bug 1414206] Re: elfutils in Vivid is vulnerable to CVE-2014-9447
Dmitry Shachnev
mitya57 at gmail.com
Mon Jan 26 09:00:47 UTC 2015
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1414206
Title:
elfutils in Vivid is vulnerable to CVE-2014-9447
Status in elfutils package in Ubuntu:
Confirmed
Bug description:
elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
released updates for the stable Ubuntu releases but need a sponsor for
uploading to Vivid.
The vulnerability involves crafted ar archives causing a directory
traversal attack. Files in the root directory can be written if a
process, with write access to the root directory, uses libelf1 to
extract a malicious ar archive.
More info can be found in our CVE tracker:
http://people.canonical.com/~ubuntu-
security/cve/2014/CVE-2014-9447.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions
More information about the Ubuntu-sponsors
mailing list