diff -rcp binutils-2.23.52.0.1.orig/binutils/ar.c binutils-2.23.52.0.1/binutils/ar.c

*** binutils-2.23.52.0.1.orig/binutils/ar.c	2014-11-11 20:51:37.044244928 +0000

--- binutils-2.23.52.0.1/binutils/ar.c	2014-11-11 20:53:41.245801920 +0000

*************** extract_file (bfd *abfd)

*** 1013,1018 ****

--- 1013,1027 ----

    bfd_size_type size;

    struct stat buf;

+   /* PR binutils/17533: Do not allow directory traversal

+      outside of the current directory tree.  */

+   if (! is_valid_archive_path (bfd_get_filename (abfd)))

+     {

+       non_fatal (_("illegal pathname found in archive member: %s"),

+ 		 bfd_get_filename (abfd));

+       return;

+     }

+ 

    if (bfd_stat_arch_elt (abfd, &buf) != 0)

      /* xgettext:c-format */

      fatal (_("internal stat error on %s"), bfd_get_filename (abfd));

diff -rcp binutils-2.23.52.0.1.orig/binutils/bucomm.c binutils-2.23.52.0.1/binutils/bucomm.c

*** binutils-2.23.52.0.1.orig/binutils/bucomm.c	2014-11-11 20:51:37.022244830 +0000

--- binutils-2.23.52.0.1/binutils/bucomm.c	2014-11-11 20:52:45.452550953 +0000

*************** bfd_get_archive_filename (const bfd *abf

*** 624,626 ****

--- 624,652 ----

  	   bfd_get_filename (abfd));

    return buf;

  }

+ 

+ /* Returns TRUE iff PATHNAME, a filename of an archive member,

+    is valid for writing.  For security reasons absolute paths

+    and paths containing /../ are not allowed.  See PR 17533.  */

+ 

+ bfd_boolean

+ is_valid_archive_path (char const * pathname)

+ {

+   const char * n = pathname;

+ 

+   if (IS_ABSOLUTE_PATH (n))

+     return FALSE;

+ 

+   while (*n)

+     {

+       if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))

+ 	return FALSE;

+ 

+       while (*n && ! IS_DIR_SEPARATOR (*n))

+ 	n++;

+       while (IS_DIR_SEPARATOR (*n))

+ 	n++;

+     }

+ 

+   return TRUE;

+ }

diff -rcp binutils-2.23.52.0.1.orig/binutils/bucomm.h binutils-2.23.52.0.1/binutils/bucomm.h

*** binutils-2.23.52.0.1.orig/binutils/bucomm.h	2014-11-11 20:51:37.030244866 +0000

--- binutils-2.23.52.0.1/binutils/bucomm.h	2014-11-11 20:53:03.228630913 +0000

*************** bfd_vma parse_vma (const char *, const c

*** 58,63 ****

--- 58,65 ----

  off_t get_file_size (const char *);

+ bfd_boolean is_valid_archive_path (char const *);

+ 

  extern char *program_name;

  /* filemode.c */

diff -rcp binutils-2.23.52.0.1.orig/binutils/doc/binutils.texi binutils-2.23.52.0.1/binutils/doc/binutils.texi

*** binutils-2.23.52.0.1.orig/binutils/doc/binutils.texi	2014-11-11 20:51:37.052244964 +0000

--- binutils-2.23.52.0.1/binutils/doc/binutils.texi	2014-11-11 20:56:13.759503335 +0000

*************** a normal archive.  Instead the elements

*** 234,240 ****

  individually to the second archive.

  The paths to the elements of the archive are stored relative to the

! archive itself.

  @cindex compatibility, @command{ar}

  @cindex @command{ar} compatibility

--- 234,241 ----

  individually to the second archive.

  The paths to the elements of the archive are stored relative to the

! archive itself.  For security reasons absolute paths and paths with a

! @code{/../} component are not allowed.

  @cindex compatibility, @command{ar}

  @cindex @command{ar} compatibility

diff -rcp binutils-2.23.52.0.1.orig/binutils/objcopy.c binutils-2.23.52.0.1/binutils/objcopy.c

*** binutils-2.23.52.0.1.orig/binutils/objcopy.c	2014-11-11 20:51:37.030244866 +0000

--- binutils-2.23.52.0.1/binutils/objcopy.c	2014-11-11 20:55:30.431307076 +0000

*************** copy_archive (bfd *ibfd, bfd *obfd, cons

*** 2182,2187 ****

--- 2182,2197 ----

        bfd_boolean del = TRUE;

        bfd_boolean ok_object;

+       /* PR binutils/17533: Do not allow directory traversal

+ 	 outside of the current directory tree by archive members.  */

+       if (! is_valid_archive_path (bfd_get_filename (this_element)))

+ 	{

+ 	  non_fatal (_("illegal pathname found in archive member: %s"),

+ 		     bfd_get_filename (this_element));

+ 	  status = 1;

+ 	  goto cleanup_and_exit;

+ 	}

+ 

        /* Create an output file for this member.  */

        output_name = concat (dir, "/",

  			    bfd_get_filename (this_element), (char *) 0);

*************** copy_archive (bfd *ibfd, bfd *obfd, cons

*** 2191,2198 ****

  	{

  	  output_name = make_tempdir (output_name);

  	  if (output_name == NULL)

! 	    fatal (_("cannot create tempdir for archive copying (error: %s)"),

! 		   strerror (errno));

  	  l = (struct name_list *) xmalloc (sizeof (struct name_list));

  	  l->name = output_name;

--- 2201,2212 ----

  	{

  	  output_name = make_tempdir (output_name);

  	  if (output_name == NULL)

! 	    {

! 	      non_fatal (_("cannot create tempdir for archive copying (error: %s)"),

! 			 strerror (errno));

! 	      status = 1;

! 	      goto cleanup_and_exit;

! 	    }

  	  l = (struct name_list *) xmalloc (sizeof (struct name_list));

  	  l->name = output_name;

*************** copy_archive (bfd *ibfd, bfd *obfd, cons

*** 2234,2240 ****

  	{

  	  bfd_nonfatal_message (output_name, NULL, NULL, NULL);

  	  status = 1;

! 	  return;

  	}

        if (ok_object)

--- 2248,2254 ----

  	{

  	  bfd_nonfatal_message (output_name, NULL, NULL, NULL);

  	  status = 1;

! 	  goto cleanup_and_exit;

  	}

        if (ok_object)

*************** copy_archive (bfd *ibfd, bfd *obfd, cons

*** 2295,2301 ****

      {

        status = 1;

        bfd_nonfatal_message (filename, NULL, NULL, NULL);

-       return;

      }

    filename = bfd_get_filename (ibfd);

--- 2309,2314 ----

*************** copy_archive (bfd *ibfd, bfd *obfd, cons

*** 2303,2311 ****

      {

        status = 1;

        bfd_nonfatal_message (filename, NULL, NULL, NULL);

-       return;

      }

    /* Delete all the files that we opened.  */

    for (l = list; l != NULL; l = l->next)

      {

--- 2316,2324 ----

      {

        status = 1;

        bfd_nonfatal_message (filename, NULL, NULL, NULL);

      }

+  cleanup_and_exit:

    /* Delete all the files that we opened.  */

    for (l = list; l != NULL; l = l->next)

      {