new file mode 100644

@@ -0,0 +1,337 @@

+From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 28 Nov 2017 13:20:31 +0000

+Subject: [PATCH] Fix a memory access violation when attempting to parse a

+ corrupt COFF binary with a relocation that points beyond the end of the

+ section to be relocated.

+

+	PR 22506

+	* reloc.c (reloc_offset_in_range): Rename to

+	bfd_reloc_offset_in_range and export.

+	(bfd_perform_relocation): Rename function invocation.

+	(bfd_install_relocation): Likewise.

+	(bfd_final_link_relocate): Likewise.

+	* bfd-in2.h: Regenerate.

+	* coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.

+	* coff-i386.c (coff_i386_reloc): Likewise.

+	* coff-i860.c (coff_i860_reloc): Likewise.

+	* coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.

+	* coff-m88k.c (m88k_special_reloc): Likewise.

+	* coff-mips.c (mips_reflo_reloc): Likewise.

+	* coff-x86_64.c (coff_amd64_reloc): Likewise.

+---

+ bfd/bfd-in2.h     |  6 +++++

+ bfd/coff-arm.c    | 65 ++++++++++++++++++++++++++++++-------------------------

+ bfd/coff-i386.c   |  5 +++++

+ bfd/coff-i860.c   |  5 +++++

+ bfd/coff-m68k.c   |  5 +++++

+ bfd/coff-m88k.c   |  9 +++++++-

+ bfd/coff-mips.c   |  6 +++++

+ bfd/coff-x86_64.c | 16 +++++---------

+ bfd/reloc.c       | 40 +++++++++++++++++++++++++++++-----

+

+diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h

+index 1b483bd..db1c480 100644

+--- a/bfd/bfd-in2.h

+@@ -2662,6 +2662,12 @@ bfd_reloc_status_type bfd_check_overflow

+     unsigned int addrsize,

+     bfd_vma relocation);

+ 

++bfd_boolean bfd_reloc_offset_in_range

++   (reloc_howto_type *howto,

++    bfd *abfd,

++    asection *section,

++    bfd_size_type offset);

++

+ bfd_reloc_status_type bfd_perform_relocation

+    (bfd *abfd,

+     arelent *reloc_entry,

+diff --git a/bfd/coff-arm.c b/bfd/coff-arm.c

+index 8a2fe1a..1e66cbc 100644

+--- a/bfd/coff-arm.c

+@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd,

+   x = ((x & ~howto->dst_mask)					\

+        | (((x & howto->src_mask) + diff) & howto->dst_mask))

+ 

+-    if (diff != 0)

+-      {

+-	reloc_howto_type *howto = reloc_entry->howto;

+-	unsigned char *addr = (unsigned char *) data + reloc_entry->address;

++  if (diff != 0)

++    {

++      reloc_howto_type *howto = reloc_entry->howto;

++      unsigned char *addr = (unsigned char *) data + reloc_entry->address;

+ 

+-	switch (howto->size)

+-	  {

+-	  case 0:

+-	    {

+-	      char x = bfd_get_8 (abfd, addr);

+-	      DOIT (x);

+-	      bfd_put_8 (abfd, x, addr);

+-	    }

+-	    break;

++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

++				       reloc_entry->address

++				       * bfd_octets_per_byte (abfd)))

++	return bfd_reloc_outofrange;

+ 

+-	  case 1:

+-	    {

+-	      short x = bfd_get_16 (abfd, addr);

+-	      DOIT (x);

+-	      bfd_put_16 (abfd, (bfd_vma) x, addr);

+-	    }

+-	    break;

++      switch (howto->size)

++	{

++	case 0:

++	  {

++	    char x = bfd_get_8 (abfd, addr);

++	    DOIT (x);

++	    bfd_put_8 (abfd, x, addr);

++	  }

++	  break;

+ 

+-	  case 2:

+-	    {

+-	      long x = bfd_get_32 (abfd, addr);

+-	      DOIT (x);

+-	      bfd_put_32 (abfd, (bfd_vma) x, addr);

+-	    }

+-	    break;

++	case 1:

++	  {

++	    short x = bfd_get_16 (abfd, addr);

++	    DOIT (x);

++	    bfd_put_16 (abfd, (bfd_vma) x, addr);

++	  }

++	  break;

+ 

+-	  default:

+-	    abort ();

++	case 2:

++	  {

++	    long x = bfd_get_32 (abfd, addr);

++	    DOIT (x);

++	    bfd_put_32 (abfd, (bfd_vma) x, addr);

+ 	  }

+-      }

++	  break;

++

++	default:

++	  abort ();

++	}

++    }

+ 

+   /* Now let bfd_perform_relocation finish everything up.  */

+   return bfd_reloc_continue;

+diff --git a/bfd/coff-i386.c b/bfd/coff-i386.c

+index b6ef597..91371d8 100644

+--- a/bfd/coff-i386.c

+@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd,

+       reloc_howto_type *howto = reloc_entry->howto;

+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;

+ 

++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

++				       reloc_entry->address

++				       * bfd_octets_per_byte (abfd)))

++	return bfd_reloc_outofrange;

++

+       switch (howto->size)

+ 	{

+ 	case 0:

+diff --git a/bfd/coff-i860.c b/bfd/coff-i860.c

+index a3c22c6..e2e49f9 100644

+--- a/bfd/coff-i860.c

+@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd,

+ 	reloc_howto_type *howto = reloc_entry->howto;

+ 	unsigned char *addr = (unsigned char *) data + reloc_entry->address;

+ 

++	if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

++					 reloc_entry->address

++					 * bfd_octets_per_byte (abfd)))

++	  return bfd_reloc_outofrange;

++

+ 	switch (howto->size)

+ 	  {

+ 	  case 0:

+diff --git a/bfd/coff-m68k.c b/bfd/coff-m68k.c

+index dff6e1d..1730c11 100644

+--- a/bfd/coff-m68k.c

+@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd *abfd,

+       reloc_howto_type *howto = reloc_entry->howto;

+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;

+ 

++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

++				       reloc_entry->address

++				       * bfd_octets_per_byte (abfd)))

++	return bfd_reloc_outofrange;

++

+       switch (howto->size)

+ 	{

+ 	case 0:

+diff --git a/bfd/coff-m88k.c b/bfd/coff-m88k.c

+index ebe4fd3..6314bd3 100644

+--- a/bfd/coff-m88k.c

+@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd,

+ 	{

+ 	  bfd_vma output_base = 0;

+ 	  bfd_vma addr = reloc_entry->address;

+-	  bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr);

++	  bfd_vma x;

+ 	  asection *reloc_target_output_section;

+ 	  long relocation = 0;

+ 

++	  if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

++					   reloc_entry->address

++					   * bfd_octets_per_byte (abfd)))

++	    return bfd_reloc_outofrange;

++

++	  x = bfd_get_16 (abfd, (bfd_byte *) data + addr);	  

++

+ 	  /* Work out which section the relocation is targeted at and the

+ 	     initial relocation command value.  */

+ 

+diff --git a/bfd/coff-mips.c b/bfd/coff-mips.c

+index c3ade62..ac2b934 100644

+--- a/bfd/coff-mips.c

+@@ -504,6 +504,12 @@ mips_reflo_reloc (bfd *abfd ATTRIBUTE_UNUSED,

+ 	  unsigned long vallo;

+ 	  struct mips_hi *next;

+ 

++	  if (! bfd_reloc_offset_in_range (reloc_entry->howto, abfd,

++					   input_section,

++					   reloc_entry->address

++					   * bfd_octets_per_byte (abfd)))

++	    return bfd_reloc_outofrange;

++	  

+ 	  /* Do the REFHI relocation.  Note that we actually don't

+ 	     need to know anything about the REFLO itself, except

+ 	     where to find the low 16 bits of the addend needed by the

+diff --git a/bfd/coff-x86_64.c b/bfd/coff-x86_64.c

+index de22822..4d0bf18 100644

+--- a/bfd/coff-x86_64.c

+@@ -142,17 +142,11 @@ coff_amd64_reloc (bfd *abfd,

+     {

+       reloc_howto_type *howto = reloc_entry->howto;

+       unsigned char *addr = (unsigned char *) data + reloc_entry->address;

+-

+-      /* FIXME: We do not have an end address for data, so we cannot

+-	 accurately range check any addresses computed against it.

+-	 cf: PR binutils/17512: file: 1085-1761-0.004.

+-	 For now we do the best that we can.  */

+-      if (addr < (unsigned char *) data

+-	  || addr > ((unsigned char *) data) + input_section->size)

+-	{

+-	  bfd_set_error (bfd_error_bad_value);

+-	  return bfd_reloc_notsupported;

+-	}

++      

++      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

++				       reloc_entry->address

++				       * bfd_octets_per_byte (abfd)))

++	return bfd_reloc_outofrange;

+ 

+       switch (howto->size)

+ 	{

+diff --git a/bfd/reloc.c b/bfd/reloc.c

+index 7ee7844..0fe93be 100644

+--- a/bfd/reloc.c

+@@ -540,12 +540,31 @@ bfd_check_overflow (enum complain_overflow how,

+   return flag;

+ }

+ 

++/*

++FUNCTION

++	bfd_reloc_offset_in_range

++

++SYNOPSIS

++	bfd_boolean bfd_reloc_offset_in_range

++          (reloc_howto_type *howto,

++           bfd *abfd,

++           asection *section,

++           bfd_size_type offset);

++

++DESCRIPTION

++        Returns TRUE if the reloc described by @var{HOWTO} can be

++	applied at @var{OFFSET} octets in @var{SECTION}.

++

++*/

++

+ /* HOWTO describes a relocation, at offset OCTET.  Return whether the

+    relocation field is within SECTION of ABFD.  */

+ 

+-static bfd_boolean

+-reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd,

+-		       asection *section, bfd_size_type octet)

++bfd_boolean

++bfd_reloc_offset_in_range (reloc_howto_type *howto,

++			   bfd *abfd,

++			   asection *section,

++			   bfd_size_type octet)

+ {

+   bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);

+   bfd_size_type reloc_size = bfd_get_reloc_size (howto);

+@@ -619,6 +638,11 @@ bfd_perform_relocation (bfd *abfd,

+   if (howto && howto->special_function)

+     {

+       bfd_reloc_status_type cont;

++

++      /* Note - we do not call bfd_reloc_offset_in_range here as the

++	 reloc_entry->address field might actually be valid for the

++	 backend concerned.  It is up to the special_function itself

++	 to call bfd_reloc_offset_in_range if needed.  */

+       cont = howto->special_function (abfd, reloc_entry, symbol, data,

+ 				      input_section, output_bfd,

+ 				      error_message);

+@@ -639,7 +663,7 @@ bfd_perform_relocation (bfd *abfd,

+ 

+   /* Is the address of the relocation really within the section?  */

+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);

+-  if (!reloc_offset_in_range (howto, abfd, input_section, octets))

++  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))

+     return bfd_reloc_outofrange;

+ 

+   /* Work out which section the relocation is targeted at and the

+@@ -1005,6 +1029,10 @@ bfd_install_relocation (bfd *abfd,

+     {

+       bfd_reloc_status_type cont;

+ 

++      /* Note - we do not call bfd_reloc_offset_in_range here as the

++	 reloc_entry->address field might actually be valid for the

++	 backend concerned.  It is up to the special_function itself

++	 to call bfd_reloc_offset_in_range if needed.  */

+       /* XXX - The special_function calls haven't been fixed up to deal

+ 	 with creating new relocations and section contents.  */

+       cont = howto->special_function (abfd, reloc_entry, symbol,

+@@ -1027,7 +1055,7 @@ bfd_install_relocation (bfd *abfd,

+ 

+   /* Is the address of the relocation really within the section?  */

+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);

+-  if (!reloc_offset_in_range (howto, abfd, input_section, octets))

++  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets))

+     return bfd_reloc_outofrange;

+ 

+   /* Work out which section the relocation is targeted at and the

+@@ -1365,7 +1393,7 @@ _bfd_final_link_relocate (reloc_howto_type *howto,

+   bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);

+ 

+   /* Sanity check the address.  */

+-  if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))

++  if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octets))

+     return bfd_reloc_outofrange;

+ 

+   /* This function assumes that we are dealing with a basic relocation

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,38 @@

+From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Wed, 29 Nov 2017 12:40:43 +0000

+Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of

+ memory when parsing relocs in a corrupt file.

+

+	PR 22508

+	* objdump.c (dump_relocs_in_section): Also check the section's

+	relocation count to make sure that it is reasonable before

+	attempting to allocate space for the relocs.

+---

+ binutils/objdump.c | 11 ++++++++++-

+

+diff --git a/binutils/objdump.c b/binutils/objdump.c

+index 40b4acf..e7d91e8 100644

+--- a/binutils/objdump.c

+@@ -3427,7 +3427,16 @@ dump_relocs_in_section (bfd *abfd,

+     }

+ 

+   if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0

+-      && (ufile_ptr) relsize > bfd_get_file_size (abfd))

++      && (((ufile_ptr) relsize > bfd_get_file_size (abfd))

++	  /* Also check the section's reloc count since if this is negative

++	     (or very large) the computation in bfd_get_reloc_upper_bound

++	     may have resulted in returning a small, positive integer.

++	     See PR 22508 for a reproducer.

++

++	     Note - we check against file size rather than section size as

++	     it is possible for there to be more relocs that apply to a

++	     section than there are bytes in that section.  */

++	  || (section->reloc_count > bfd_get_file_size (abfd))))

+     {

+       printf (" (too many: 0x%x)\n", section->reloc_count);

+       bfd_set_error (bfd_error_file_truncated);

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,28 @@

+From 4581a1c7d304ce14e714b27522ebf3d0188d6543 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Wed, 29 Nov 2017 17:12:12 +0000

+Subject: [PATCH] Check for a NULL symbol pointer when reading relocs from a

+ COFF based file.

+

+	PR 22509

+	* coffcode.h (coff_slurp_reloc_table): Check for a NULL symbol

+	pointer when processing relocs.

+---

+ bfd/coffcode.h | 2 +-

+

+diff --git a/bfd/coffcode.h b/bfd/coffcode.h

+index 604ba6d..d30cd58 100644

+--- a/bfd/coffcode.h

+@@ -5335,7 +5335,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols)

+ #else

+       cache_ptr->address = dst.r_vaddr;

+ 

+-      if (dst.r_symndx != -1)

++      if (dst.r_symndx != -1 && symbols != NULL)

+ 	{

+ 	  if (dst.r_symndx < 0 || dst.r_symndx >= obj_conv_table_size (abfd))

+ 	    {

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,37 @@

+From b0029dce6867de1a2828293177b0e030d2f0f03c Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 28 Nov 2017 18:00:29 +0000

+Subject: [PATCH] Prevent a memory exhaustion problem when trying to read in

+ strings from a COFF binary with a corrupt string table size.

+

+	PR 22507

+	* coffgen.c (_bfd_coff_read_string_table): Check for an excessive

+	size of the external string table.

+---

+ bfd/coffgen.c | 4 ++--

+

+diff --git a/bfd/coffgen.c b/bfd/coffgen.c

+index 81efd9b..7798dfc 100644

+--- a/bfd/coffgen.c

+@@ -1718,7 +1718,7 @@ _bfd_coff_read_string_table (bfd *abfd)

+ #endif

+     }

+ 

+-  if (strsize < STRING_SIZE_SIZE)

++  if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd))

+     {

+       _bfd_error_handler

+ 	/* xgettext: c-format */

+@@ -1726,7 +1726,7 @@ _bfd_coff_read_string_table (bfd *abfd)

+       bfd_set_error (bfd_error_bad_value);

+       return NULL;

+     }

+-

++  

+   strings = (char *) bfd_malloc (strsize + 1);

+   if (strings == NULL)

+     return NULL;

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,103 @@

+From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Sat, 18 Nov 2017 23:18:22 +1030

+Subject: [PATCH] PR22443, Global buffer overflow in

+ _bfd_elf_get_symbol_version_string

+

+Symbols like *ABS* defined in bfd/section.c:global_syms are not

+elf_symbol_type.  They can appear on relocs and perhaps other places

+in an ELF bfd, so a number of places in nm.c and objdump.c are wrong

+to cast an asymbol based on the bfd being ELF.  I think we lose

+nothing by excluding all section symbols, not just the global_syms.

+

+	PR 22443

+	* nm.c (sort_symbols_by_size): Don't attempt to access

+	section symbol internal_elf_sym.

+	(print_symbol): Likewise.  Don't call bfd_get_symbol_version_string

+	for section symbols.

+	* objdump.c (compare_symbols): Don't attempt to access

+	section symbol internal_elf_sym.

+	(objdump_print_symname): Don't call bfd_get_symbol_version_string

+	for section symbols.

+---

+ binutils/nm.c      | 17 ++++++++++-------

+ binutils/objdump.c |  6 +++---

+diff --git a/binutils/nm.c b/binutils/nm.c

+index 5b421785..dd49f09 100644

+--- a/binutils/nm.c

+@@ -763,7 +763,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms,

+       asection *sec;

+       bfd_vma sz;

+       asymbol *temp;

+-      int synthetic = (sym->flags & BSF_SYNTHETIC);

+ 

+       if (from + size < fromend)

+ 	{

+@@ -780,10 +779,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms,

+       sec = bfd_get_section (sym);

+ 

+       /* Synthetic symbols don't have a full type set of data available, thus

+-	 we can't rely on that information for the symbol size.  */

+-      if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)

++	 we can't rely on that information for the symbol size.  Ditto for

++	 bfd/section.c:global_syms like *ABS*.  */

++      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0

++	  && bfd_get_flavour (abfd) == bfd_target_elf_flavour)

+ 	sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;

+-      else if (!synthetic && bfd_is_com_section (sec))

++      else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0

++	       && bfd_is_com_section (sec))

+ 	sz = sym->value;

+       else

+ 	{

+@@ -872,8 +874,9 @@ print_symbol (bfd *        abfd,

+ 

+   info.sinfo = &syminfo;

+   info.ssize = ssize;

+-  /* Synthetic symbols do not have a full symbol type set of data available.  */

+-  if ((sym->flags & BSF_SYNTHETIC) != 0)

++  /* Synthetic symbols do not have a full symbol type set of data available.

++     Nor do bfd/section.c:global_syms like *ABS*.  */

++  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)

+     {

+       info.elfinfo = NULL;

+       info.coffinfo = NULL;

+@@ -891,7 +894,7 @@ print_symbol (bfd *        abfd,

+       const char *  version_string = NULL;

+       bfd_boolean   hidden = FALSE;

+ 

+-      if ((sym->flags & BSF_SYNTHETIC) == 0)

++      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)

+ 	version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);

+ 

+       if (bfd_is_und_section (bfd_get_section (sym)))

+diff --git a/binutils/objdump.c b/binutils/objdump.c

+index 1a1e32f..40b4acf 100644

+--- a/binutils/objdump.c

+@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const void *bp)

+       bfd_vma asz, bsz;

+ 

+       asz = 0;

+-      if ((a->flags & BSF_SYNTHETIC) == 0)

++      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)

+ 	asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;

+       bsz = 0;

+-      if ((b->flags & BSF_SYNTHETIC) == 0)

++      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)

+ 	bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;

+       if (asz != bsz)

+ 	return asz > bsz ? -1 : 1;

+@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct disassemble_info *inf,

+ 	name = alloc;

+     }

+ 

+-  if ((sym->flags & BSF_SYNTHETIC) == 0)

++  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)

+     version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);

+ 

+   if (bfd_is_und_section (bfd_get_section (sym)))

+-- 

+2.9.3

+

@@ -1,7 +1,7 @@

 Summary:	Contains a linker, an assembler, and other tools

 Name:		binutils

 Version:	2.29.1

-Release:	4%{?dist}

+Release:	5%{?dist}

 License:	GPLv2+

 URL:		http://www.gnu.org/software/binutils

 Group:		System Environment/Base

@@ -18,7 +18,11 @@ Patch5:         binutils-2.29.1-CVE-2017-16829.patch

 Patch6:         binutils-2.29.1-CVE-2017-16830.patch

 Patch7:         binutils-2.29.1-CVE-2017-16831.patch

 Patch8:         binutils-2.29.1-CVE-2017-16832.patch

-

+Patch9:         binutils-2.29.1-CVE-2017-17121.patch

+Patch10:        binutils-2.29.1-CVE-2017-17122.patch

+Patch11:        binutils-2.29.1-CVE-2017-17123.patch

+Patch12:        binutils-2.29.1-CVE-2017-17124.patch

+Patch13:        binutils-2.29.1-CVE-2017-17125.patch

 %description

 The Binutils package contains a linker, an assembler,

 and other tools for handling object files.

@@ -39,6 +43,11 @@ for handling compiled objects.

 %patch6 -p1

 %patch7 -p1

 %patch8 -p1

+%patch9 -p1

+%patch10 -p1

+%patch11 -p1

+%patch12 -p1

+%patch13 -p1

 %build

 install -vdm 755 ../binutils-build

@@ -126,6 +135,9 @@ make %{?_smp_mflags} check

 %{_libdir}/libopcodes.so

 %changelog

+*   Mon Dec 18 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-5

+-   Fix CVEs CVE-2017-17121, CVE-2017-17122, CVE-2017-17123,

+-   CVE-2017-17124, CVE-2017-17125

 *   Mon Dec 4 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-4

 -   Fix CVEs CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829,

 -   CVE-2017-16830, CVE-2017-16831, CVE-2017-16832