new file mode 100644

@@ -0,0 +1,174 @@

+From 3a551c7a1b80fca579461774860574eabfd7f18f Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Sun, 16 Dec 2018 23:02:50 +1030

+Subject: [PATCH] PR23994, libbfd integer overflow

+

+	PR 23994

+	* aoutx.h: Include limits.h.

+	(get_reloc_upper_bound): Detect long overflow and return a file

+	too big error if it occurs.

+	* elf.c: Include limits.h.

+	(_bfd_elf_get_symtab_upper_bound): Detect long overflow and return

+	a file too big error if it occurs.

+	(_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.

+	(_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.

+---

+ bfd/aoutx.h   | 40 +++++++++++++++++++++-------------------

+ bfd/elf.c     | 32 ++++++++++++++++++++++++--------

+ 2 files changed, 45 insertions(+), 27 deletions(-)

+

+diff --git a/bfd/aoutx.h b/bfd/aoutx.h

+index 023843b..78eaa9c 100644

+--- a/bfd/aoutx.h

+@@ -117,6 +117,7 @@ DESCRIPTION

+ #define KEEPIT udata.i

+ 

+ #include "sysdep.h"

++#include <limits.h>

+ #include "bfd.h"

+ #include "safe-ctype.h"

+ #include "bfdlink.h"

+@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,

+ long

+ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)

+ {

++  bfd_size_type count;

++

+   if (bfd_get_format (abfd) != bfd_object)

+     {

+       bfd_set_error (bfd_error_invalid_operation);

+@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)

+     }

+ 

+   if (asect->flags & SEC_CONSTRUCTOR)

+-    return sizeof (arelent *) * (asect->reloc_count + 1);

+-

+-  if (asect == obj_datasec (abfd))

+-    return sizeof (arelent *)

+-      * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))

+-	 + 1);

+-

+-  if (asect == obj_textsec (abfd))

+-    return sizeof (arelent *)

+-      * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))

+-	 + 1);

+-

+-  if (asect == obj_bsssec (abfd))

+-    return sizeof (arelent *);

+-

+-  if (asect == obj_bsssec (abfd))

+-    return 0;

++    count = asect->reloc_count;

++  else if (asect == obj_datasec (abfd))

++    count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);

++  else if (asect == obj_textsec (abfd))

++    count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);

++  else if (asect == obj_bsssec (abfd))

++    count = 0;

++  else

++    {

++      bfd_set_error (bfd_error_invalid_operation);

++      return -1;

++    }

+ 

+-  bfd_set_error (bfd_error_invalid_operation);

+-  return -1;

++  if (count >= LONG_MAX / sizeof (arelent *))

++    {

++      bfd_set_error (bfd_error_file_too_big);

++      return -1;

++    }

++  return (count + 1) * sizeof (arelent *);

+ }

+ 

+ long

+diff --git a/bfd/elf.c b/bfd/elf.c

+index 688429b..b10dcd8 100644

+--- a/bfd/elf.c

+@@ -35,6 +35,7 @@ SECTION

+ /* For sparc64-cross-sparc32.  */

+ #define _SYSCALL32

+ #include "sysdep.h"

++#include <limits.h>

+ #include "bfd.h"

+ #include "bfdlink.h"

+ #include "libbfd.h"

+@@ -8215,11 +8216,16 @@ error_return:

+ long

+ _bfd_elf_get_symtab_upper_bound (bfd *abfd)

+ {

+-  long symcount;

++  bfd_size_type symcount;

+   long symtab_size;

+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;

+ 

+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;

++  if (symcount >= LONG_MAX / sizeof (asymbol *))

++    {

++      bfd_set_error (bfd_error_file_too_big);

++      return -1;

++    }

+   symtab_size = (symcount + 1) * (sizeof (asymbol *));

+   if (symcount > 0)

+     symtab_size -= sizeof (asymbol *);

+@@ -8230,7 +8236,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)

+ long

+ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)

+ {

+-  long symcount;

++  bfd_size_type symcount;

+   long symtab_size;

+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;

+ 

+@@ -8241,6 +8247,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)

+     }

+ 

+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;

++  if (symcount >= LONG_MAX / sizeof (asymbol *))

++    {

++      bfd_set_error (bfd_error_file_too_big);

++      return -1;

++    }

+   symtab_size = (symcount + 1) * (sizeof (asymbol *));

+   if (symcount > 0)

+     symtab_size -= sizeof (asymbol *);

+@@ -8310,7 +8321,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,

+ long

+ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)

+ {

+-  long ret;

++  bfd_size_type count;

+   asection *s;

+ 

+   if (elf_dynsymtab (abfd) == 0)

+@@ -8319,15 +8330,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)

+       return -1;

+     }

+ 

+-  ret = sizeof (arelent *);

++  count = 1;

+   for (s = abfd->sections; s != NULL; s = s->next)

+     if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)

+ 	&& (elf_section_data (s)->this_hdr.sh_type == SHT_REL

+ 	    || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))

+-      ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)

+-	      * sizeof (arelent *));

+-

+-  return ret;

++      {

++	count += s->size / elf_section_data (s)->this_hdr.sh_entsize;

++	if (count > LONG_MAX / sizeof (arelent *))

++	  {

++	    bfd_set_error (bfd_error_file_too_big);

++	    return -1;

++	  }

++      }

++  return count * sizeof (arelent *);

+ }

+ 

+ /* Canonicalize the dynamic relocation entries.  Note that we return the

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,31 @@

+From 5f60af5d24d181371d67534fa273dd221df20c07 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Fri, 30 Nov 2018 11:45:33 +0000

+Subject: [PATCH] Fix a memory exhaustion bug when attempting to allocate room

+ for an impossible number of program headers.

+

+	* elfcode.h (elf_object_p): Check for corrupt input files with

+	more program headers than can actually fit in the file.

+---

+ bfd/elfcode.h | 5 +++++

+ 1 file changed, 5 insertions(+)

+

+diff --git a/bfd/elfcode.h b/bfd/elfcode.h

+index f224c8b..16ed8e5 100644

+--- a/bfd/elfcode.h

+@@ -784,6 +784,11 @@ elf_object_p (bfd *abfd)

+       if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))

+ 	goto got_wrong_format_error;

+ #endif

++      /* Check for a corrupt input file with an impossibly large number

++	 of program headers.  */

++      if (bfd_get_file_size (abfd) > 0

++	  && i_ehdrp->e_phnum > bfd_get_file_size (abfd))

++	goto got_no_match;

+       amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);

+       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);

+       if (elf_tdata (abfd)->phdr == NULL)

+-- 

+2.9.3

+

@@ -1,7 +1,7 @@

 Summary:        Contains a linker, an assembler, and other tools

 Name:           binutils

 Version:        2.31

-Release:        2%{?dist}

+Release:        3%{?dist}

 License:        GPLv2+

 URL:            http://www.gnu.org/software/binutils

 Group:          System Environment/Base

@@ -13,6 +13,8 @@ Patch0:         binutils-CVE-2018-17794-18700-18701-18484.patch

 Patch1:         binutils-CVE-2018-18605.patch

 Patch2:         binutils-CVE-2018-18607.patch

 Patch3:         binutils-CVE-2018-18606.patch

+Patch4:         binutils-CVE-2018-19931.patch

+Patch5:         binutils-CVE-2018-1000876.patch

 %description

 The Binutils package contains a linker, an assembler,

@@ -31,6 +33,8 @@ for handling compiled objects.

 %patch1 -p1

 %patch2 -p1

 %patch3 -p1

+%patch4 -p1

+%patch5 -p1

 %build

 install -vdm 755 ../binutils-build

@@ -119,6 +123,8 @@ make %{?_smp_mflags} check

 %{_libdir}/libopcodes.so

 %changelog

+*   Wed Feb 13 2019 Alexey Makhalov <amakhalov@vmware.com> 2.31-3

+-   Fix CVE-2018-19931 and CVE-2018-1000876

 *   Wed Jan 02 2019 Ankit Jain <ankitja@vmware.com> 2.31-2

 -   Fixes for CVE-2018-17794, CVE-2018-18700, CVE-2018-18701

 -   CVE-2018-18484, CVE-2018-18605, CVE-2018-18606, CVE-2018-18607