Browse code
binutils fix CVE-2019-9077 and CVE-2019-9075
Change-Id: Ifb80d5f205afbb9bac96a78bf31439c02f24c31e
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6880
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Priyesh Padmavilasom authored on 2019/03/15 08:34:36Showing 3 changed files
- SPECS/binutils/binutils-CVE-2019-9075.patch
- SPECS/binutils/binutils-CVE-2019-9077.patch
- SPECS/binutils/binutils.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,95 @@ |
| 0 |
+From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Alan Modra <amodra@gmail.com> |
|
| 2 |
+Date: Wed, 20 Feb 2019 08:21:24 +1030 |
|
| 3 |
+Subject: [PATCH] PR24236, Heap buffer overflow in |
|
| 4 |
+ _bfd_archive_64_bit_slurp_armap |
|
| 5 |
+ |
|
| 6 |
+ PR 24236 |
|
| 7 |
+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding |
|
| 8 |
+ sentinel NUL to string buffer nearer to loop where it is used. |
|
| 9 |
+ Don't go past sentinel when scanning strings, and don't write |
|
| 10 |
+ NUL again. |
|
| 11 |
+ * archive.c (do_slurp_coff_armap): Simplify string handling to |
|
| 12 |
+ archive64.c style. |
|
| 13 |
+--- |
|
| 14 |
+ bfd/archive.c | 17 +++++++---------- |
|
| 15 |
+ bfd/archive64.c | 10 +++++----- |
|
| 16 |
+ 2 files changed, 12 insertions(+), 15 deletions(-) |
|
| 17 |
+ |
|
| 18 |
+diff --git a/bfd/archive.c b/bfd/archive.c |
|
| 19 |
+index d2d9b72..68a92a3 100644 |
|
| 20 |
+--- a/bfd/archive.c |
|
| 21 |
+@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) |
|
| 22 |
+ int *raw_armap, *rawptr; |
|
| 23 |
+ struct artdata *ardata = bfd_ardata (abfd); |
|
| 24 |
+ char *stringbase; |
|
| 25 |
++ char *stringend; |
|
| 26 |
+ bfd_size_type stringsize; |
|
| 27 |
+ bfd_size_type parsed_size; |
|
| 28 |
+ carsym *carsyms; |
|
| 29 |
+@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) |
|
| 30 |
+ } |
|
| 31 |
+ |
|
| 32 |
+ /* OK, build the carsyms. */ |
|
| 33 |
+- for (i = 0; i < nsymz && stringsize > 0; i++) |
|
| 34 |
++ stringend = stringbase + stringsize; |
|
| 35 |
++ *stringend = 0; |
|
| 36 |
++ for (i = 0; i < nsymz; i++) |
|
| 37 |
+ {
|
|
| 38 |
+- bfd_size_type len; |
|
| 39 |
+- |
|
| 40 |
+ rawptr = raw_armap + i; |
|
| 41 |
+ carsyms->file_offset = swap ((bfd_byte *) rawptr); |
|
| 42 |
+ carsyms->name = stringbase; |
|
| 43 |
+- /* PR 17512: file: 4a1d50c1. */ |
|
| 44 |
+- len = strnlen (stringbase, stringsize); |
|
| 45 |
+- if (len < stringsize) |
|
| 46 |
+- len ++; |
|
| 47 |
+- stringbase += len; |
|
| 48 |
+- stringsize -= len; |
|
| 49 |
++ stringbase += strlen (stringbase); |
|
| 50 |
++ if (stringbase != stringend) |
|
| 51 |
++ ++stringbase; |
|
| 52 |
+ carsyms++; |
|
| 53 |
+ } |
|
| 54 |
+- *stringbase = 0; |
|
| 55 |
+ |
|
| 56 |
+ ardata->symdef_count = nsymz; |
|
| 57 |
+ ardata->first_file_filepos = bfd_tell (abfd); |
|
| 58 |
+diff --git a/bfd/archive64.c b/bfd/archive64.c |
|
| 59 |
+index 312bf82..42f6ed9 100644 |
|
| 60 |
+--- a/bfd/archive64.c |
|
| 61 |
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) |
|
| 62 |
+ return FALSE; |
|
| 63 |
+ carsyms = ardata->symdefs; |
|
| 64 |
+ stringbase = ((char *) ardata->symdefs) + carsym_size; |
|
| 65 |
+- stringbase[stringsize] = 0; |
|
| 66 |
+- stringend = stringbase + stringsize; |
|
| 67 |
+ |
|
| 68 |
+ raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); |
|
| 69 |
+ if (raw_armap == NULL) |
|
| 70 |
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) |
|
| 71 |
+ goto release_raw_armap; |
|
| 72 |
+ } |
|
| 73 |
+ |
|
| 74 |
++ stringend = stringbase + stringsize; |
|
| 75 |
++ *stringend = 0; |
|
| 76 |
+ for (i = 0; i < nsymz; i++) |
|
| 77 |
+ {
|
|
| 78 |
+ carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); |
|
| 79 |
+ carsyms->name = stringbase; |
|
| 80 |
+- if (stringbase < stringend) |
|
| 81 |
+- stringbase += strlen (stringbase) + 1; |
|
| 82 |
++ stringbase += strlen (stringbase); |
|
| 83 |
++ if (stringbase != stringend) |
|
| 84 |
++ ++stringbase; |
|
| 85 |
+ ++carsyms; |
|
| 86 |
+ } |
|
| 87 |
+- *stringbase = '\0'; |
|
| 88 |
+ |
|
| 89 |
+ ardata->symdef_count = nsymz; |
|
| 90 |
+ ardata->first_file_filepos = bfd_tell (abfd); |
|
| 91 |
+-- |
|
| 92 |
+2.9.3 |
| 0 | 93 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,32 @@ |
| 0 |
+From 7fc0c668f2aceb8582d74db1ad2528e2bba8a921 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Nick Clifton <nickc@redhat.com> |
|
| 2 |
+Date: Wed, 20 Feb 2019 17:03:47 +0000 |
|
| 3 |
+Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS |
|
| 4 |
+ option section using readelf. |
|
| 5 |
+ |
|
| 6 |
+ PR 24243 |
|
| 7 |
+ * readelf.c (process_mips_specific): Check for an options section |
|
| 8 |
+ that is too small to even contain a single option. |
|
| 9 |
+--- |
|
| 10 |
+ binutils/readelf.c | 6 ++++++ |
|
| 11 |
+ 1 files changed, 6 insertions(+) |
|
| 12 |
+ |
|
| 13 |
+diff --git a/binutils/readelf.c b/binutils/readelf.c |
|
| 14 |
+index 54d165e..20ebacc 100644 |
|
| 15 |
+--- a/binutils/readelf.c |
|
| 16 |
+@@ -16187,6 +16187,12 @@ process_mips_specific (Filedata * filedata) |
|
| 17 |
+ error (_("No MIPS_OPTIONS header found\n"));
|
|
| 18 |
+ return FALSE; |
|
| 19 |
+ } |
|
| 20 |
++ /* PR 24243 */ |
|
| 21 |
++ if (sect->sh_size < sizeof (* eopt)) |
|
| 22 |
++ {
|
|
| 23 |
++ error (_("The MIPS options section is too small.\n"));
|
|
| 24 |
++ return FALSE; |
|
| 25 |
++ } |
|
| 26 |
+ |
|
| 27 |
+ eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1, |
|
| 28 |
+ sect->sh_size, _("options"));
|
|
| 29 |
+-- |
|
| 30 |
+2.9.3 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Contains a linker, an assembler, and other tools |
| 2 | 2 |
Name: binutils |
| 3 | 3 |
Version: 2.31 |
| 4 |
-Release: 3%{?dist}
|
|
| 4 |
+Release: 4%{?dist}
|
|
| 5 | 5 |
License: GPLv2+ |
| 6 | 6 |
URL: http://www.gnu.org/software/binutils |
| 7 | 7 |
Group: System Environment/Base |
| ... | ... |
@@ -15,6 +15,8 @@ Patch2: binutils-CVE-2018-18607.patch |
| 15 | 15 |
Patch3: binutils-CVE-2018-18606.patch |
| 16 | 16 |
Patch4: binutils-CVE-2018-19931.patch |
| 17 | 17 |
Patch5: binutils-CVE-2018-1000876.patch |
| 18 |
+Patch6: binutils-CVE-2019-9075.patch |
|
| 19 |
+Patch7: binutils-CVE-2019-9077.patch |
|
| 18 | 20 |
|
| 19 | 21 |
%description |
| 20 | 22 |
The Binutils package contains a linker, an assembler, |
| ... | ... |
@@ -35,6 +37,8 @@ for handling compiled objects. |
| 35 | 35 |
%patch3 -p1 |
| 36 | 36 |
%patch4 -p1 |
| 37 | 37 |
%patch5 -p1 |
| 38 |
+%patch6 -p1 |
|
| 39 |
+%patch7 -p1 |
|
| 38 | 40 |
|
| 39 | 41 |
%build |
| 40 | 42 |
install -vdm 755 ../binutils-build |
| ... | ... |
@@ -123,6 +127,8 @@ make %{?_smp_mflags} check
|
| 123 | 123 |
%{_libdir}/libopcodes.so
|
| 124 | 124 |
|
| 125 | 125 |
%changelog |
| 126 |
+* Thu Mar 14 2019 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.31-4 |
|
| 127 |
+- Fix CVE-2019-9075 and CVE-2019-9077 |
|
| 126 | 128 |
* Wed Feb 13 2019 Alexey Makhalov <amakhalov@vmware.com> 2.31-3 |
| 127 | 129 |
- Fix CVE-2018-19931 and CVE-2018-1000876 |
| 128 | 130 |
* Wed Jan 02 2019 Ankit Jain <ankitja@vmware.com> 2.31-2 |