[Bug 1414206] Re: elfutils in Vivid is vulnerable to CVE-2014-9447
Tyler Hicks
tyhicks at canonical.com
Fri Jan 23 22:27:20 UTC 2015
I forgot to reference this bug in the changelog of the previously
attached debdiff. Here's a debdiff that references this bug.
** Patch added: "elfutils_0.160-0ubuntu3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+attachment/4304581/+files/elfutils_0.160-0ubuntu3.debdiff
** Patch removed: "elfutils_0.160-0ubuntu3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+attachment/4304563/+files/elfutils_0.160-0ubuntu3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to elfutils in Ubuntu.
https://bugs.launchpad.net/bugs/1414206
Title:
elfutils in Vivid is vulnerable to CVE-2014-9447
Status in elfutils package in Ubuntu:
Confirmed
Bug description:
elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've
released updates for the stable Ubuntu releases but need a sponsor for
uploading to Vivid.
The vulnerability involves crafted ar archives causing a directory
traversal attack. Files in the root directory can be written if a
process, with write access to the root directory, uses libelf1 to
extract a malicious ar archive.
More info can be found in our CVE tracker:
http://people.canonical.com/~ubuntu-
security/cve/2014/CVE-2014-9447.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions
More information about the foundations-bugs
mailing list