Date: Sunday, July 12, 2015 @ 11:53:30 Author: lcarlier Revision: 136713
upgpkg: lib32-elfutils 0.163-1 upstream update 0.163 Modified: lib32-elfutils/trunk/PKGBUILD Deleted: lib32-elfutils/trunk/0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch lib32-elfutils/trunk/CVE-2014-9447.patch -----------------------------------------------------------------+ 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch | 63 ---------- CVE-2014-9447.patch | 53 -------- PKGBUILD | 22 --- 3 files changed, 5 insertions(+), 133 deletions(-) Deleted: 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch =================================================================== --- 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch 2015-07-12 09:49:09 UTC (rev 136712) +++ 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch 2015-07-12 09:53:30 UTC (rev 136713) @@ -1,63 +0,0 @@ -From 224e6776cfe6fc23a207cd05bf75b1e3548853a0 Mon Sep 17 00:00:00 2001 -From: Mark Wielaard <m...@redhat.com> -Date: Thu, 15 Jan 2015 13:39:06 +0100 -Subject: [PATCH] tests: Make deleted and vdsosyms testcases work with - "restricted ptrace". - -Some systems might have "restricted ptrace" that doesn't allow process -inspection of arbitrary processes. Change the deleted testcase to -explicitly allow any other process to inspect it using the PR_SET_PTRACER -prctl set to PR_SET_PTRACER_ANY. Change the vdsosyms testcase to inspect -the process itself which should always be allowed. - -Reported-by: Anatol Pomozov <anatol.pomo...@gmail.com> -Signed-off-by: Mark Wielaard <m...@redhat.com> ---- - tests/ChangeLog | 5 +++++ - tests/deleted.c | 6 ++++++ - tests/vdsosyms.c | 5 +++-- - 3 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/tests/deleted.c b/tests/deleted.c -index 32a310b..d071bf7 100644 ---- a/tests/deleted.c -+++ b/tests/deleted.c -@@ -23,6 +23,7 @@ - #include <stdio.h> - #include <error.h> - #include <errno.h> -+#include <sys/prctl.h> - - extern void libfunc (void); - -@@ -42,6 +43,11 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused))) - assert (!err); - err = close (2); - assert (!err); -+ /* Make sure eu-stack -p works on this process even with -+ "restricted ptrace". */ -+#ifdef PR_SET_PTRACER_ANY -+ prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0); -+#endif - libfunc (); - abort (); - } -diff --git a/tests/vdsosyms.c b/tests/vdsosyms.c -index c1f8d89..4f12b9a 100644 ---- a/tests/vdsosyms.c -+++ b/tests/vdsosyms.c -@@ -80,8 +80,9 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused))) - if (dwfl == NULL) - error (2, 0, "dwfl_begin: %s", dwfl_errmsg (-1)); - -- /* Take our parent as "arbitrary" process to inspect. */ -- pid_t pid = getppid(); -+ /* Take ourself as "arbitrary" process to inspect. This should work -+ even with "restricted ptrace". */ -+ pid_t pid = getpid(); - - int result = dwfl_linux_proc_report (dwfl, pid); - if (result < 0) --- -1.8.3.1 - Deleted: CVE-2014-9447.patch =================================================================== --- CVE-2014-9447.patch 2015-07-12 09:49:09 UTC (rev 136712) +++ CVE-2014-9447.patch 2015-07-12 09:53:30 UTC (rev 136713) @@ -1,53 +0,0 @@ -From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001 -From: Alexander Cherepanov <chere...@mccme.ru> -Date: Sun, 28 Dec 2014 19:57:19 +0300 -Subject: libelf: Fix dir traversal vuln in ar extraction. - -read_long_names terminates names at the first '/' found but then skips -one character without checking (it's supposed to be '\n'). Hence the -next name could start with any character including '/'. This leads to -a directory traversal vulnerability at the time the contents of the -archive is extracted. - -The danger is mitigated by the fact that only one '/' is possible in a -resulting filename and only in the leading position. Hence only files -in the root directory can be written via this vuln and only when ar is -executed as root. - -The fix for the vuln is to not skip any characters while looking -for '/'. - -Signed-off-by: Alexander Cherepanov <chere...@mccme.ru> - -diff --git a/libelf/ChangeLog b/libelf/ChangeLog -index 3b88d03..447c354 100644 ---- a/libelf/ChangeLog -+++ b/libelf/ChangeLog -@@ -1,3 +1,8 @@ -+2014-12-28 Alexander Cherepanov <chere...@mccme.ru> -+ -+ * elf_begin.c (read_long_names): Don't miss '/' right after -+ another '/'. Fixes a dir traversal vuln in ar extraction. -+ - 2014-12-18 Ulrich Drepper <drep...@gmail.com> - - * Makefile.am: Suppress output of textrel_check command. -diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c -index 30abe0b..cd3756c 100644 ---- a/libelf/elf_begin.c -+++ b/libelf/elf_begin.c -@@ -749,10 +749,7 @@ read_long_names (Elf *elf) - } - - /* NUL-terminate the string. */ -- *runp = '\0'; -- -- /* Skip the NUL byte and the \012. */ -- runp += 2; -+ *runp++ = '\0'; - - /* A sanity check. Somebody might have generated invalid - archive. */ --- -cgit v0.10.2 - Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-07-12 09:49:09 UTC (rev 136712) +++ PKGBUILD 2015-07-12 09:53:30 UTC (rev 136713) @@ -4,8 +4,8 @@ _pkgbasename=elfutils pkgname=lib32-elfutils -pkgver=0.161 -pkgrel=2 +pkgver=0.163 +pkgrel=1 pkgdesc="Collection of libraries for working with ELF object files and DWARF debugging information (32-bit)" arch=('x86_64') url="https://fedorahosted.org/elfutils/" @@ -12,24 +12,12 @@ license=('LGPL3' 'GPL' 'GPL3') depends=('lib32-bzip2' 'lib32-zlib' 'elfutils') makedepends=('gcc-multilib') -source=(https://fedorahosted.org/releases/e/l/elfutils/${pkgver}/elfutils-${pkgver}.tar.bz2{,.sig} - 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch - CVE-2014-9447.patch) +source=(https://fedorahosted.org/releases/e/l/elfutils/${pkgver}/elfutils-${pkgver}.tar.bz2{,.sig}) options=('staticlibs') -sha1sums=('85d48e18359c51e843c49b1894b2f54b85e88ae2' - 'SKIP' - '86947fb8d0f51a65e19142350925f428ad0c7cb1' - 'd3e0e8275695fcc6347b8730bd1eb141a022f756') +sha1sums=('7931b4961364a8a17c708138c70c552ae2881227' + 'SKIP') validpgpkeys=('47CC0331081B8BC6D0FD4DA08370665B57816A6A') # Mark J. Wielaard <m...@klomp.org> -prepare() { - cd ${_pkgbasename}-${pkgver} - - # https://lists.fedorahosted.org/pipermail/elfutils-devel/2015-January/004541.html - patch -p1 < "$srcdir"/0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch - patch -p1 < "$srcdir"/CVE-2014-9447.patch -} - build() { cd ${srcdir}/${_pkgbasename}-${pkgver}