[arch-commits] Commit in lib32-elfutils/trunk (3 files)

Laurent Carlier lcarlier at archlinux.org
Sun Jul 12 09:53:31 UTC 2015 

    Date: Sunday, July 12, 2015 @ 11:53:30
  Author: lcarlier
Revision: 136713

upgpkg: lib32-elfutils 0.163-1

upstream update 0.163

Modified:
  lib32-elfutils/trunk/PKGBUILD
Deleted:
  lib32-elfutils/trunk/0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch
  lib32-elfutils/trunk/CVE-2014-9447.patch

-----------------------------------------------------------------+
 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch |   63 ----------
 CVE-2014-9447.patch                                             |   53 --------
 PKGBUILD                                                        |   22 ---
 3 files changed, 5 insertions(+), 133 deletions(-)

Deleted: 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch
===================================================================
--- 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch	2015-07-12 09:49:09 UTC (rev 136712)
+++ 0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch	2015-07-12 09:53:30 UTC (rev 136713)
@@ -1,63 +0,0 @@
-From 224e6776cfe6fc23a207cd05bf75b1e3548853a0 Mon Sep 17 00:00:00 2001
-From: Mark Wielaard <mjw at redhat.com>
-Date: Thu, 15 Jan 2015 13:39:06 +0100
-Subject: [PATCH] tests: Make deleted and vdsosyms testcases work with
- "restricted ptrace".
-
-Some systems might have "restricted ptrace" that doesn't allow process
-inspection of arbitrary processes. Change the deleted testcase to
-explicitly allow any other process to inspect it using the PR_SET_PTRACER
-prctl set to PR_SET_PTRACER_ANY. Change the vdsosyms testcase to inspect
-the process itself which should always be allowed.
-
-Reported-by: Anatol Pomozov <anatol.pomozov at gmail.com>
-Signed-off-by: Mark Wielaard <mjw at redhat.com>
----
- tests/ChangeLog  | 5 +++++
- tests/deleted.c  | 6 ++++++
- tests/vdsosyms.c | 5 +++--
- 3 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/tests/deleted.c b/tests/deleted.c
-index 32a310b..d071bf7 100644
---- a/tests/deleted.c
-+++ b/tests/deleted.c
-@@ -23,6 +23,7 @@
- #include <stdio.h>
- #include <error.h>
- #include <errno.h>
-+#include <sys/prctl.h>
- 
- extern void libfunc (void);
- 
-@@ -42,6 +43,11 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused)))
-       assert (!err);
-       err = close (2);
-       assert (!err);
-+      /* Make sure eu-stack -p works on this process even with
-+	 "restricted ptrace".  */
-+#ifdef PR_SET_PTRACER_ANY
-+      prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0);
-+#endif
-       libfunc ();
-       abort ();
-     }
-diff --git a/tests/vdsosyms.c b/tests/vdsosyms.c
-index c1f8d89..4f12b9a 100644
---- a/tests/vdsosyms.c
-+++ b/tests/vdsosyms.c
-@@ -80,8 +80,9 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused)))
-   if (dwfl == NULL)
-     error (2, 0, "dwfl_begin: %s", dwfl_errmsg (-1));
- 
--  /* Take our parent as "arbitrary" process to inspect.  */
--  pid_t pid = getppid();
-+  /* Take ourself as "arbitrary" process to inspect.  This should work
-+     even with "restricted ptrace".  */
-+  pid_t pid = getpid();
- 
-   int result = dwfl_linux_proc_report (dwfl, pid);
-   if (result < 0)
--- 
-1.8.3.1
-

Deleted: CVE-2014-9447.patch
===================================================================
--- CVE-2014-9447.patch	2015-07-12 09:49:09 UTC (rev 136712)
+++ CVE-2014-9447.patch	2015-07-12 09:53:30 UTC (rev 136713)
@@ -1,53 +0,0 @@
-From 147018e729e7c22eeabf15b82d26e4bf68a0d18e Mon Sep 17 00:00:00 2001
-From: Alexander Cherepanov <cherepan at mccme.ru>
-Date: Sun, 28 Dec 2014 19:57:19 +0300
-Subject: libelf: Fix dir traversal vuln in ar extraction.
-
-read_long_names terminates names at the first '/' found but then skips
-one character without checking (it's supposed to be '\n'). Hence the
-next name could start with any character including '/'. This leads to
-a directory traversal vulnerability at the time the contents of the
-archive is extracted.
-
-The danger is mitigated by the fact that only one '/' is possible in a
-resulting filename and only in the leading position. Hence only files
-in the root directory can be written via this vuln and only when ar is
-executed as root.
-
-The fix for the vuln is to not skip any characters while looking
-for '/'.
-
-Signed-off-by: Alexander Cherepanov <cherepan at mccme.ru>
-
-diff --git a/libelf/ChangeLog b/libelf/ChangeLog
-index 3b88d03..447c354 100644
---- a/libelf/ChangeLog
-+++ b/libelf/ChangeLog
-@@ -1,3 +1,8 @@
-+2014-12-28  Alexander Cherepanov  <cherepan at mccme.ru>
-+
-+	* elf_begin.c (read_long_names): Don't miss '/' right after
-+	another '/'. Fixes a dir traversal vuln in ar extraction.
-+
- 2014-12-18  Ulrich Drepper  <drepper at gmail.com>
- 
- 	* Makefile.am: Suppress output of textrel_check command.
-diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
-index 30abe0b..cd3756c 100644
---- a/libelf/elf_begin.c
-+++ b/libelf/elf_begin.c
-@@ -749,10 +749,7 @@ read_long_names (Elf *elf)
- 	    }
- 
- 	  /* NUL-terminate the string.  */
--	  *runp = '\0';
--
--	  /* Skip the NUL byte and the \012.  */
--	  runp += 2;
-+	  *runp++ = '\0';
- 
- 	  /* A sanity check.  Somebody might have generated invalid
- 	     archive.  */
--- 
-cgit v0.10.2
-

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-07-12 09:49:09 UTC (rev 136712)
+++ PKGBUILD	2015-07-12 09:53:30 UTC (rev 136713)
@@ -4,8 +4,8 @@
 
 _pkgbasename=elfutils
 pkgname=lib32-elfutils
-pkgver=0.161
-pkgrel=2
+pkgver=0.163
+pkgrel=1
 pkgdesc="Collection of libraries for working with ELF object files and DWARF debugging information (32-bit)"
 arch=('x86_64')
 url="https://fedorahosted.org/elfutils/"
@@ -12,24 +12,12 @@
 license=('LGPL3' 'GPL' 'GPL3')
 depends=('lib32-bzip2' 'lib32-zlib' 'elfutils')
 makedepends=('gcc-multilib')
-source=(https://fedorahosted.org/releases/e/l/elfutils/${pkgver}/elfutils-${pkgver}.tar.bz2{,.sig}
-        0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch
-        CVE-2014-9447.patch)
+source=(https://fedorahosted.org/releases/e/l/elfutils/${pkgver}/elfutils-${pkgver}.tar.bz2{,.sig})
 options=('staticlibs')
-sha1sums=('85d48e18359c51e843c49b1894b2f54b85e88ae2'
-          'SKIP'
-          '86947fb8d0f51a65e19142350925f428ad0c7cb1'
-          'd3e0e8275695fcc6347b8730bd1eb141a022f756')
+sha1sums=('7931b4961364a8a17c708138c70c552ae2881227'
+          'SKIP')
 validpgpkeys=('47CC0331081B8BC6D0FD4DA08370665B57816A6A') # Mark J. Wielaard <mark at klomp.org>
 
-prepare() {
-  cd ${_pkgbasename}-${pkgver}
-
-  # https://lists.fedorahosted.org/pipermail/elfutils-devel/2015-January/004541.html
-  patch -p1 < "$srcdir"/0001-tests-Make-deleted-and-vdsosyms-testcases-work-with-.patch
-  patch -p1 < "$srcdir"/CVE-2014-9447.patch
-}
-
 build() {
   cd ${srcdir}/${_pkgbasename}-${pkgver}

More information about the arch-commits mailing list