new file mode 100644

@@ -0,0 +1,40 @@

+From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 17 Apr 2018 12:35:55 +0100

+Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF

+ information.

+

+	PR 23064

+	* dwarf.c (process_cu_tu_index): Test for a potential buffer

+	overrun before copying signature pointer.

+---

+ binutils/ChangeLog |  6 ++++++

+ binutils/dwarf.c   | 13 ++++++++++++-

+ 2 files changed, 18 insertions(+), 1 deletion(-)

+

+diff --git a/binutils/dwarf.c b/binutils/dwarf.c

+index 10b4e28..f94f5b2 100644

+--- a/binutils/dwarf.c

+@@ -9287,7 +9287,18 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)

+ 		}

+ 

+ 	      if (!do_display)

+-		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));

++		{

++		  size_t num_copy = sizeof (uint64_t);

++

++		  /* PR 23064: Beware of buffer overflow.  */

++		  if (ph + num_copy < limit)

++		    memcpy (&this_set[row - 1].signature, ph, num_copy);

++		  else

++		    {

++		      warn (_("Signature (%p) extends beyond end of space in section\n"), ph);

++		      return 0;

++		    }

++		}

+ 

+ 	      prow = poffsets + (row - 1) * ncols * 4;

+ 	      /* PR 17531: file: b8ce60a8.  */

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,44 @@

+From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 24 Apr 2018 16:57:04 +0100

+Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF

+ binary with corrupt section symbols.

+

+	PR 23113

+	* elf.c (ignore_section_sym): Check for the output_section pointer

+	being NULL before dereferencing it.

+---

+ bfd/ChangeLog | 4 ++++

+ bfd/elf.c     | 9 ++++++++-

+ 2 files changed, 12 insertions(+), 1 deletion(-)

+

+diff --git a/bfd/elf.c b/bfd/elf.c

+index 8ea5a81..092b275 100644

+--- a/bfd/elf.c

+@@ -4022,15 +4022,22 @@ ignore_section_sym (bfd *abfd, asymbol *sym)

+ {

+   elf_symbol_type *type_ptr;

+ 

++  if (sym == NULL)

++    return FALSE;

++

+   if ((sym->flags & BSF_SECTION_SYM) == 0)

+     return FALSE;

+ 

++  if (sym->section == NULL)

++    return TRUE;

++

+   type_ptr = elf_symbol_from (abfd, sym);

+   return ((type_ptr != NULL

+ 	   && type_ptr->internal_elf_sym.st_shndx != 0

+ 	   && bfd_is_abs_section (sym->section))

+ 	  || !(sym->section->owner == abfd

+-	       || (sym->section->output_section->owner == abfd

++	       || (sym->section->output_section != NULL

++		   && sym->section->output_section->owner == abfd

+ 		   && sym->section->output_offset == 0)

+ 	       || bfd_is_abs_section (sym->section)));

+ }

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,89 @@

+From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 6 Feb 2018 15:48:29 +0000

+Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by

+ chacking the size of debuglink sections.

+

+	PR 22794

+	* opncls.c (bfd_get_debug_link_info_1): Check the size of the

+	section before attempting to read it in.

+	(bfd_get_alt_debug_link_info): Likewise.

+---

+ bfd/ChangeLog |  7 +++++++

+ bfd/opncls.c  | 22 +++++++++++++++++-----

+ 2 files changed, 24 insertions(+), 5 deletions(-)

+

+diff --git a/bfd/opncls.c b/bfd/opncls.c

+index 458f06e..16b568c 100644

+--- a/bfd/opncls.c

+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)

+   bfd_byte *contents;

+   unsigned int crc_offset;

+   char *name;

++  bfd_size_type size;

+ 

+   BFD_ASSERT (abfd);

+   BFD_ASSERT (crc32_out);

+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)

+   if (sect == NULL)

+     return NULL;

+ 

++  size = bfd_get_section_size (sect);

++

++  /* PR 22794: Make sure that the section has a reasonable size.  */

++  if (size < 8 || size >= bfd_get_size (abfd))

++    return NULL;

++

+   if (!bfd_malloc_and_get_section (abfd, sect, &contents))

+     {

+       if (contents != NULL)

+@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)

+ 

+   /* CRC value is stored after the filename, aligned up to 4 bytes.  */

+   name = (char *) contents;

+-  /* PR 17597: avoid reading off the end of the buffer.  */

+-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;

++  /* PR 17597: Avoid reading off the end of the buffer.  */

++  crc_offset = strnlen (name, size) + 1;

+   crc_offset = (crc_offset + 3) & ~3;

+-  if (crc_offset + 4 > bfd_get_section_size (sect))

++  if (crc_offset + 4 > size)

+     return NULL;

+ 

+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);

+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,

+   bfd_byte *contents;

+   unsigned int buildid_offset;

+   char *name;

++  bfd_size_type size;

+ 

+   BFD_ASSERT (abfd);

+   BFD_ASSERT (buildid_len);

+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,

+   if (sect == NULL)

+     return NULL;

+ 

++  size = bfd_get_section_size (sect);

++  if (size < 8 || size >= bfd_get_size (abfd))

++    return NULL;

++

+   if (!bfd_malloc_and_get_section (abfd, sect, & contents))

+     {

+       if (contents != NULL)

+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,

+ 

+   /* BuildID value is stored after the filename.  */

+   name = (char *) contents;

+-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;

++  buildid_offset = strnlen (name, size) + 1;

+   if (buildid_offset >= bfd_get_section_size (sect))

+     return NULL;

+ 

+-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;

++  *buildid_len = size - buildid_offset;

+   *buildid_out = bfd_malloc (*buildid_len);

+   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);

+ 

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,29 @@

+From ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Thu, 8 Feb 2018 10:28:25 +0000

+Subject: [PATCH 1/1] Fix a seg-fault in the ELF note parser when a note with

+ an excessively large alignment is encountered.

+

+	PR 22788

+	* elf.c (elf_parse_notes): Reject notes with excessuively large

+	alignments.

+---

+ bfd/ChangeLog | 6 ++++++

+ bfd/elf.c     | 2 ++

+ 2 files changed, 8 insertions(+)

+

+diff --git a/bfd/elf.c b/bfd/elf.c

+index dedf35f..db1e076 100644

+--- a/bfd/elf.c

+@@ -11012,6 +11012,8 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset,

+      align is less than 4, we use 4 byte alignment.   */

+   if (align < 4)

+     align = 4;

++  if (align != 4 && align != 8)

++    return FALSE;

+ 

+   p = buf;

+   while (p < buf + size)

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,55 @@

+From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Wed, 28 Feb 2018 10:13:54 +0000

+Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1

+ debug information.

+

+	PR 22894

+	* dwarf1.c (parse_die): Check the length of form blocks before

+	advancing the data pointer.

+---

+ bfd/ChangeLog |  6 ++++++

+ bfd/dwarf1.c  | 17 +++++++++++++++--

+ 2 files changed, 21 insertions(+), 2 deletions(-)

+

+diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c

+index 71bc57b..f272ea8 100644

+--- a/bfd/dwarf1.c

+@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,

+   /* Then the attributes.  */

+   while (xptr + 2 <= aDiePtrEnd)

+     {

++      unsigned int   block_len;

+       unsigned short attr;

+ 

+       /* Parse the attribute based on its form.  This section

+@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,

+ 	  break;

+ 	case FORM_BLOCK2:

+ 	  if (xptr + 2 <= aDiePtrEnd)

+-	    xptr += bfd_get_16 (abfd, xptr);

++	    {

++	      block_len = bfd_get_16 (abfd, xptr);

++	      if (xptr + block_len > aDiePtrEnd

++		  || xptr + block_len < xptr)

++		return FALSE;

++	      xptr += block_len;

++	    }

+ 	  xptr += 2;

+ 	  break;

+ 	case FORM_BLOCK4:

+ 	  if (xptr + 4 <= aDiePtrEnd)

+-	    xptr += bfd_get_32 (abfd, xptr);

++	    {

++	      block_len = bfd_get_32 (abfd, xptr);

++	      if (xptr + block_len > aDiePtrEnd

++		  || xptr + block_len < xptr)

++		return FALSE;

++	      xptr += block_len;

++	    }

+ 	  xptr += 4;

+ 	  break;

+ 	case FORM_STRING:

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,96 @@

+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Wed, 28 Feb 2018 11:50:49 +0000

+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF

+ FORM blocks.

+

+	PR 22895

+	PR 22893

+	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block

+	pointer.  Drop unused abfd parameter.  Check the size of the block

+	before initialising the data field.  Return the end pointer if the

+	size is invalid.

+	(read_attribute_value): Adjust invocations of read_n_bytes.

+---

+ bfd/ChangeLog |  8 ++++++++

+ bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------

+ 2 files changed, 29 insertions(+), 15 deletions(-)

+

+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c

+index 2413542..ca22db7 100644

+--- a/bfd/dwarf2.c

+@@ -623,14 +623,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, bfd_byte *end)

+ }

+ 

+ static bfd_byte *

+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,

+-	      bfd_byte *buf,

+-	      bfd_byte *end,

+-	      unsigned int size ATTRIBUTE_UNUSED)

++read_n_bytes (bfd_byte *           buf,

++	      bfd_byte *           end,

++	      struct dwarf_block * block)

+ {

+-  if (buf + size > end)

+-    return NULL;

+-  return buf;

++  unsigned int  size = block->size;

++  bfd_byte *    block_end = buf + size;

++

++  if (block_end > end || block_end < buf)

++    {

++      block->data = NULL;

++      block->size = 0;

++      return end;

++    }

++  else

++    {

++      block->data = buf;

++      return block_end;

++    }

+ }

+ 

+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.

+@@ -1128,8 +1138,7 @@ read_attribute_value (struct attribute *  attr,

+ 	return NULL;

+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);

+       info_ptr += 2;

+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

+-      info_ptr += blk->size;

++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

+       attr->u.blk = blk;

+       break;

+     case DW_FORM_block4:

+@@ -1139,8 +1148,7 @@ read_attribute_value (struct attribute *  attr,

+ 	return NULL;

+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);

+       info_ptr += 4;

+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

+-      info_ptr += blk->size;

++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

+       attr->u.blk = blk;

+       break;

+     case DW_FORM_data2:

+@@ -1180,8 +1188,7 @@ read_attribute_value (struct attribute *  attr,

+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,

+ 					 FALSE, info_ptr_end);

+       info_ptr += bytes_read;

+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

+-      info_ptr += blk->size;

++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

+       attr->u.blk = blk;

+       break;

+     case DW_FORM_block1:

+@@ -1191,8 +1198,7 @@ read_attribute_value (struct attribute *  attr,

+ 	return NULL;

+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);

+       info_ptr += 1;

+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

+-      info_ptr += blk->size;

++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

+       attr->u.blk = blk;

+       break;

+     case DW_FORM_data1:

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,34 @@

+From 116acb2c268c89c89186673a7c92620d21825b25 Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Wed, 28 Feb 2018 22:09:50 +1030

+Subject: [PATCH] PR22887, null pointer dereference in

+ aout_32_swap_std_reloc_out

+

+	PR 22887

+	* aoutx.h (swap_std_reloc_in): Correct r_index bound check.

+---

+ bfd/ChangeLog | 5 +++++

+ bfd/aoutx.h   | 6 ++++--

+ 2 files changed, 9 insertions(+), 2 deletions(-)

+

+diff --git a/bfd/aoutx.h b/bfd/aoutx.h

+index 4cadbfb..525e560 100644

+--- a/bfd/aoutx.h

+@@ -2289,10 +2289,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abfd,

+   if (r_baserel)

+     r_extern = 1;

+ 

+-  if (r_extern && r_index > symcount)

++  if (r_extern && r_index >= symcount)

+     {

+       /* We could arrange to return an error, but it might be useful

+-	 to see the file even if it is bad.  */

++	 to see the file even if it is bad.  FIXME: Of course this

++	 means that objdump -r *doesn't* see the actual reloc, and

++	 objcopy silently writes a different reloc.  */

+       r_extern = 0;

+       r_index = N_ABS;

+     }

+-- 

+2.9.3

new file mode 100644

@@ -0,0 +1,51 @@

+From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Tue, 8 May 2018 12:51:06 +0100

+Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a

+ fuzzed input file with corrupt string and attribute sections.

+

+	PR 22809

+	* elf.c (bfd_elf_get_str_section): Check for an excessively large

+	string section.

+	* elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the

+	attribute section is larger than the size of the file.

+---

+ bfd/ChangeLog   | 8 ++++++++

+ bfd/elf-attrs.c | 9 +++++++++

+ bfd/elf.c       | 1 +

+ 3 files changed, 18 insertions(+)

+

+diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c

+index dfdf1a5..b353309 100644

+--- a/bfd/elf-attrs.c

+@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)

+   /* PR 17512: file: 2844a11d.  */

+   if (hdr->sh_size == 0)

+     return;

++  if (hdr->sh_size > bfd_get_file_size (abfd))

++    {

++      /* xgettext:c-format */

++      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),

++			  abfd, hdr->bfd_section, (long long) hdr->sh_size);

++      bfd_set_error (bfd_error_invalid_operation);

++      return;

++    }

++

+   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);

+   if (!contents)

+     return;

+diff --git a/bfd/elf.c b/bfd/elf.c

+index 21bc4e7..3e8d510 100644

+--- a/bfd/elf.c

+@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsigned int shindex)

+       /* Allocate and clear an extra byte at the end, to prevent crashes

+ 	 in case the string table is not terminated.  */

+       if (shstrtabsize + 1 <= 1

++	  || shstrtabsize > bfd_get_file_size (abfd)

+ 	  || bfd_seek (abfd, offset, SEEK_SET) != 0

+ 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)

+ 	shstrtab = NULL;

+-- 

+2.9.3

@@ -1,7 +1,7 @@

 Summary:        Contains a linker, an assembler, and other tools

 Name:           binutils

 Version:        2.30

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        GPLv2+

 URL:            http://www.gnu.org/software/binutils

 Group:          System Environment/Base

@@ -13,6 +13,14 @@ Patch0:         binutils-2.30-CVE-2018-6543.patch

 Patch1:         binutils-2.30-CVE-2018-7643.patch

 Patch2:         binutils-2.30-CVE-2018-7208.patch

 Patch3:         binutils-2.30-CVE-2018-10373.patch

+Patch4:         binutils-2.30-CVE-2018-6759.patch

+Patch5:         binutils-2.30-CVE-2018-6872.patch

+Patch6:         binutils-2.30-CVE-2018-7568.patch

+Patch7:         binutils-2.30-CVE-2018-7569.patch

+Patch8:         binutils-2.30-CVE-2018-7642.patch

+Patch9:         binutils-2.30-CVE-2018-8945.patch

+Patch10:        binutils-2.30-CVE-2018-10372.patch

+Patch11:        binutils-2.30-CVE-2018-10535.patch

 %description

 The Binutils package contains a linker, an assembler,

 and other tools for handling object files.

@@ -30,6 +38,15 @@ for handling compiled objects.

 %patch1 -p1

 %patch2 -p1

 %patch3 -p1

+%patch4 -p1

+%patch5 -p1

+%patch6 -p1

+%patch7 -p1

+%patch8 -p1

+%patch9 -p1

+%patch10 -p1

+%patch11 -p1

+

 %build

 install -vdm 755 ../binutils-build

 cd ../binutils-build

@@ -117,6 +134,9 @@ make %{?_smp_mflags} check

 %{_libdir}/libopcodes.so

 %changelog

+*   Mon Jun 25 2018 Keerthana K <keerthanak@vmware.com> 2.30-5

+-   Fixes for CVE-2018-6759, CVE-2018-6872, CVE-2018-7568, CVE-2018-7569,

+-   CVE-2018-7642, CVE-2018-8945, CVE-2018-10372, CVE-2018-10535.

 *   Thu Jun 7 2018 Keerthana K <keerthanak@vmware.com> 2.30-4

 -   Fix CVE-2018-10373

 *   Tue Apr 17 2018 Xiaolin Li <xiaolinl@vmware.com> 2.30-3