binutils: Security fix for CVE-2019-12972

Source: git://sourceware.org / binutils-gdb.git MR: 98770 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c Description: Fixes CVE-2019-12972 (From OE-Core rev: 16f4520f5cb581eb93bd3f0e3aa1feecc5c567ba) Signed-off-by: Armin Kuster <akuster@mvista.com> [v2] forgot to refresh inc file before sending Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-08-31 15:56:48 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:52:28 +0100
commit: 176dc6eb01bea925aa88a8dcab9f63e7dcd3dab5 (patch)
tree: 610b32d8bfcfcb6800da87665ea83b77ad2292d7
parent: d39b67e491b0885ce2c594eab5d3984ae4b4aad0 (diff)
download: poky-176dc6eb01bea925aa88a8dcab9f63e7dcd3dab5.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index 247f779a79..e1a6673b7f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
     file://CVE-2018-18606.patch \
     file://CVE-2018-18607.patch \
     file://CVE-2019-14444.patch \
+     file://CVE-2019-12972.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 0000000000..3e95b9221a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,39 @@
+From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+        PR 24689
+        * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
+CVE: CVE-2019-12972
+Affects: <= 2.23.0
+Dropped Changelog
+Signed-off-by Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+Index: git/bfd/elfcode.h
+===================================================================
+--- git.orig/bfd/elfcode.h
+++ git/bfd/elfcode.h
+@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd)
+   /* A further sanity check.  */
+   if (i_ehdrp->e_shnum != 0)
+     {
+-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
+      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+         || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+        {
+          /* PR 2257:
+             We used to just goto got_wrong_format_error here
author	Armin Kuster <akuster@mvista.com>	2019-08-31 15:56:48 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +0100
commit	176dc6eb01bea925aa88a8dcab9f63e7dcd3dab5 (patch)
tree	610b32d8bfcfcb6800da87665ea83b77ad2292d7
parent	d39b67e491b0885ce2c594eab5d3984ae4b4aad0 (diff)
download	poky-176dc6eb01bea925aa88a8dcab9f63e7dcd3dab5.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 247f779a79..e1a6673b7f 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
47	file://CVE-2018-18606.patch \	47	file://CVE-2018-18606.patch \
48	file://CVE-2018-18607.patch \	48	file://CVE-2018-18607.patch \
49	file://CVE-2019-14444.patch \	49	file://CVE-2019-14444.patch \
		50	file://CVE-2019-12972.patch \
50	"	51	"
51	S = "${WORKDIR}/git"	52	S = "${WORKDIR}/git"
52		53


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch new file mode 100644 index 0000000000..3e95b9221a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,39 @@
		1	From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Fri, 21 Jun 2019 11:51:38 +0930
		4	Subject: [PATCH] PR24689, string table corruption
		5
		6	The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
		7	hdr->contents were initialized by setup_group rather than being read
		8	from the file, thus last byte was not zero and string dereference ran
		9	off the end of the buffer.
		10
		11	PR 24689
		12	* elfcode.h (elf_object_p): Check type of e_shstrndx section.
		13
		14	Upstream-Status: Backport
		15	https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
		16
		17	CVE: CVE-2019-12972
		18	Affects: <= 2.23.0
		19	Dropped Changelog
		20	Signed-off-by Armin Kuster <akuster@mvista.com>
		21	---
		22	bfd/ChangeLog \| 5 +++++
		23	bfd/elfcode.h \| 3 ++-
		24	2 files changed, 7 insertions(+), 1 deletion(-)
		25
		26	Index: git/bfd/elfcode.h
		27	===================================================================
		28	--- git.orig/bfd/elfcode.h
		29	+++ git/bfd/elfcode.h
		30	@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd)
		31	/* A further sanity check. */
		32	if (i_ehdrp->e_shnum != 0)
		33	{
		34	- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
		35	+ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
		36	+ \|\| i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
		37	{
		38	/* PR 2257:
		39	We used to just goto got_wrong_format_error here