[Bug 1414206] Re: elfutils in Vivid is vulnerable to CVE-2014-9447
Launchpad Bug Tracker
1414206 at bugs.launchpad.net
Mon Jan 26 09:55:43 UTC 2015
This bug was fixed in the package elfutils - 0.160-0ubuntu3
---------------
elfutils (0.160-0ubuntu3) vivid; urgency=medium
* SECURITY UPDATE: Directory traversal via crafted ar archive (LP: #1414206)
- debian/patches/CVE-2014-9447.patch: Prevent root directory traversal
while extracting ar archives
- CVE-2014-9447
-- Tyler Hicks <tyhicks at canonical.com> Fri, 23 Jan 2015 16:24:20 -0600
** Changed in: elfutils (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9447
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1414206
Title:
elfutils in Vivid is vulnerable to CVE-2014-9447
Status in elfutils package in Ubuntu:
Fix Released
Bug description:
elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
released updates for the stable Ubuntu releases but need a sponsor for
uploading to Vivid.
The vulnerability involves crafted ar archives causing a directory
traversal attack. Files in the root directory can be written if a
process, with write access to the root directory, uses libelf1 to
extract a malicious ar archive.
More info can be found in our CVE tracker:
http://people.canonical.com/~ubuntu-
security/cve/2014/CVE-2014-9447.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions
More information about the Ubuntu-sponsors
mailing list