binutils: CVE-2017-9745

Source: binutils-gdb.git MR: 74062 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: 2ec9457275509bfd8dc9185fbdcd485192a82cca Description: Handle EITR records in VMS Alpha binaries with overlarge command length parameters. PR binutils/21579 * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: f8542a9cf50c8001f675f68e42234c306d8ce1e7) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-21 19:39:24 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: 525986d6c631d179956e1caaedacc1e40768883a (patch)
tree: e8d54bdbd91cc4f12934335261639e649998c347
parent: 9753c5aa54f54bb82a80dc9d5dc3e52d34bc8b91 (diff)
download: poky-525986d6c631d179956e1caaedacc1e40768883a.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 70d4065a15..f51ca4e897 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -89,6 +89,7 @@ SRC_URI = "\
     file://CVE-2017-9755_1.patch \
     file://CVE-2017-9755_2.patch \
     file://CVE-2017-9756.patch \
+     file://CVE-2017-9745.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch
new file mode 100644
index 0000000000..b80226f412
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch
@@ -0,0 +1,62 @@
+commit 76800cba595efc3fe95a446c2d664e42ae4ee869
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Thu Jun 15 12:08:57 2017 +0100
+    Handle EITR records in VMS Alpha binaries with overlarge command length parameters.
+    
+        PR binutils/21579
+        * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
+Upstream-Status: CVE-2017-9745
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-09-21 16:08:57.863375204 +0530
+++ git/bfd/vms-alpha.c 2017-09-21 16:08:58.211377888 +0530
+@@ -1801,14 +1801,8 @@
+ 
+       ptr += 4;
+ 
+-#if VMS_DEBUG
+-      _bfd_vms_debug (4, "etir: %s(%d)\n",
+-                      _bfd_vms_etir_name (cmd), cmd);
+-      _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+-#endif
+-
+-      /* PR 21589: Check for a corrupt ETIR record.  */
+-      if (cmd_length < 4)
+      /* PR 21589 and 21579: Check for a corrupt ETIR record.  */
+      if (cmd_length < 4 || (ptr + cmd_length > maxptr + 4))
+        {
+        corrupt_etir:
+          _bfd_error_handler (_("Corrupt ETIR record encountered"));
+@@ -1816,6 +1810,12 @@
+          return FALSE;
+        }
+ 
+#if VMS_DEBUG
+      _bfd_vms_debug (4, "etir: %s(%d)\n",
+                      _bfd_vms_etir_name (cmd), cmd);
+      _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+#endif
+
+       switch (cmd)
+         {
+           /* Stack global
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 16:08:57.927375697 +0530
+++ git/bfd/ChangeLog   2017-09-21 16:11:35.192613756 +0530
+@@ -81,6 +81,11 @@
+        PR binutils/21581
+        (ieee_archive_p): Likewise.
+ 
+2017-06-15  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21579
+       * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
+
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21589
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-21 19:39:24 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	525986d6c631d179956e1caaedacc1e40768883a (patch)
tree	e8d54bdbd91cc4f12934335261639e649998c347
parent	9753c5aa54f54bb82a80dc9d5dc3e52d34bc8b91 (diff)
download	poky-525986d6c631d179956e1caaedacc1e40768883a.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 70d4065a15..f51ca4e897 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -89,6 +89,7 @@ SRC_URI = "\
89	file://CVE-2017-9755_1.patch \	89	file://CVE-2017-9755_1.patch \
90	file://CVE-2017-9755_2.patch \	90	file://CVE-2017-9755_2.patch \
91	file://CVE-2017-9756.patch \	91	file://CVE-2017-9756.patch \
		92	file://CVE-2017-9745.patch \
92	"	93	"
93	S = "${WORKDIR}/git"	94	S = "${WORKDIR}/git"
94		95


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch new file mode 100644 index 0000000000..b80226f412 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch
@@ -0,0 +1,62 @@
		1	commit 76800cba595efc3fe95a446c2d664e42ae4ee869
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Thu Jun 15 12:08:57 2017 +0100
		4
		5	Handle EITR records in VMS Alpha binaries with overlarge command length parameters.
		6
		7	PR binutils/21579
		8	* vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
		9
		10	Upstream-Status: CVE-2017-9745
		11	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		12
		13	Index: git/bfd/vms-alpha.c
		14	===================================================================
		15	--- git.orig/bfd/vms-alpha.c 2017-09-21 16:08:57.863375204 +0530
		16	+++ git/bfd/vms-alpha.c 2017-09-21 16:08:58.211377888 +0530
		17	@@ -1801,14 +1801,8 @@
		18
		19	ptr += 4;
		20
		21	-#if VMS_DEBUG
		22	- _bfd_vms_debug (4, "etir: %s(%d)\n",
		23	- _bfd_vms_etir_name (cmd), cmd);
		24	- _bfd_hexdump (8, ptr, cmd_length - 4, 0);
		25	-#endif
		26	-
		27	- /* PR 21589: Check for a corrupt ETIR record. */
		28	- if (cmd_length < 4)
		29	+ /* PR 21589 and 21579: Check for a corrupt ETIR record. */
		30	+ if (cmd_length < 4 \|\| (ptr + cmd_length > maxptr + 4))
		31	{
		32	corrupt_etir:
		33	_bfd_error_handler (_("Corrupt ETIR record encountered"));
		34	@@ -1816,6 +1810,12 @@
		35	return FALSE;
		36	}
		37
		38	+#if VMS_DEBUG
		39	+ _bfd_vms_debug (4, "etir: %s(%d)\n",
		40	+ _bfd_vms_etir_name (cmd), cmd);
		41	+ _bfd_hexdump (8, ptr, cmd_length - 4, 0);
		42	+#endif
		43	+
		44	switch (cmd)
		45	{
		46	/* Stack global
		47	Index: git/bfd/ChangeLog
		48	===================================================================
		49	--- git.orig/bfd/ChangeLog 2017-09-21 16:08:57.927375697 +0530
		50	+++ git/bfd/ChangeLog 2017-09-21 16:11:35.192613756 +0530
		51	@@ -81,6 +81,11 @@
		52	PR binutils/21581
		53	(ieee_archive_p): Likewise.
		54
		55	+2017-06-15 Nick Clifton <nickc@redhat.com>
		56	+
		57	+ PR binutils/21579
		58	+ * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
		59	+
		60	2017-06-14 Nick Clifton <nickc@redhat.com>
		61
		62	PR binutils/21589