summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 16:22:27 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 10:22:45 +0100
commit1abb9cc58e4be1c5de0e763b3cc34c3e0640679d (patch)
tree0690c18706226e4504eaaba8b78009bfe176e98f
parentd40d4bf86f5f4cec5dc7e11227020f63684301df (diff)
downloadpoky-1abb9cc58e4be1c5de0e763b3cc34c3e0640679d.tar.gz
binutls: Security fix for CVE-2017-16832
Affects: <= 2.29.1 (From OE-Core rev: ec8861a2f280a3210f9423fd1b687bca6340b8ca) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch61
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index d5db6e8da4..6611fdc3a6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
59 file://CVE-2017-16829.patch \ 59 file://CVE-2017-16829.patch \
60 file://CVE-2017-16830.patch \ 60 file://CVE-2017-16830.patch \
61 file://CVE-2017-16831.patch \ 61 file://CVE-2017-16831.patch \
62 file://CVE-2017-16832.patch \
62" 63"
63S = "${WORKDIR}/git" 64S = "${WORKDIR}/git"
64 65
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
new file mode 100644
index 0000000000..9044bccf95
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
@@ -0,0 +1,61 @@
1From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Tue, 31 Oct 2017 14:29:40 +0000
4Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary
5 with a corrupt data dictionary.
6
7 PR 22373
8 * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
9 offset values.
10
11Upstrem-Status: Backport
12Affects: <= 2.29.1
13CVE: CVE-2017-16832
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 bfd/ChangeLog | 6 ++++++
18 bfd/peicode.h | 9 ++++++---
19 2 files changed, 12 insertions(+), 3 deletions(-)
20
21Index: git/bfd/peicode.h
22===================================================================
23--- git.orig/bfd/peicode.h
24+++ git/bfd/peicode.h
25@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
26 bfd_byte *data = 0;
27 bfd_size_type dataoff;
28 unsigned int i;
29-
30 bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
31 bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
32
33@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
34
35 dataoff = addr - section->vma;
36
37- /* PR 20605: Make sure that the data is really there. */
38- if (dataoff + size > section->size)
39+ /* PR 20605 and 22373: Make sure that the data is really there.
40+ Note - since we are dealing with unsigned quantities we have
41+ to be careful to check for potential overflows. */
42+ if (dataoff > section->size
43+ || size > section->size
44+ || dataoff + size > section->size)
45 {
46 _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
47 abfd);
48Index: git/bfd/ChangeLog
49===================================================================
50--- git.orig/bfd/ChangeLog
51+++ git/bfd/ChangeLog
52@@ -1,3 +1,9 @@
53+2017-10-31 Nick Clifton <nickc@redhat.com>
54+
55+ PR 22373
56+ * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
57+ offset values.
58+
59 2017-11-03 Mingi Cho <mgcho.minic@gmail.com>
60 Nick Clifton <nickc@redhat.com>
61