CVE-2014-9447

Publication date 2 January 2015

Last updated 24 July 2024

Ubuntu priority

Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
elfutils	14.10 utopic	Fixed 0.160-0ubuntu2.1
	14.04 LTS trusty	Fixed 0.158-0ubuntu5.2
	12.04 LTS precise	Fixed 0.152-1ubuntu3.1
	10.04 LTS lucid	Fixed 0.143-1ubuntu0.1

How can I get the fixes?
What do statuses mean?

Notes

tyhicks

Directory traversal is restricted to the root directory

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2482-1
elfutils vulnerability
23 January 2015

Other references

https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004499.html
https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
http://www.openwall.com/lists/oss-security/2014/12/29/2
http://secunia.com/advisories/61934
https://www.cve.org/CVERecord?id=CVE-2014-9447