summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2014-12-26 08:51:53 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-01-06 14:13:37 +0000
commit69df8dc63f927adfd8cdb4ed022a071bb9b89acd (patch)
tree5a6ef1de8a22fb71a1de851b38d70a7e74d503ed
parent2658acef69a0665e4d77f1b08cafb032749d9ee6 (diff)
downloadpoky-69df8dc63f927adfd8cdb4ed022a071bb9b89acd.tar.gz
binutils: several security fixes
CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 and one supporting patch. [Yocto # 7084] (From OE-Core rev: 859fb4d9ec6974be9ce755e4ffefd9b199f3604c) (From OE-Core rev: d2b2d8c9ce3ef16ab053bd19a5705b01402b76ba) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.24.inc8
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch67
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch102
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch60
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch89
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch523
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch47
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch75
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch177
9 files changed, 1148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.24.inc b/meta/recipes-devtools/binutils/binutils-2.24.inc
index 8f3216f2bf..63c928712e 100644
--- a/meta/recipes-devtools/binutils/binutils-2.24.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.24.inc
@@ -32,6 +32,14 @@ SRC_URI = "\
32 file://replace_macros_with_static_inline.patch \ 32 file://replace_macros_with_static_inline.patch \
33 file://0001-Fix-MMIX-build-breakage-from-bfd_set_section_vma-cha.patch \ 33 file://0001-Fix-MMIX-build-breakage-from-bfd_set_section_vma-cha.patch \
34 file://binutils-uninitialised-warning.patch \ 34 file://binutils-uninitialised-warning.patch \
35 file://binutils_CVE-2014-8484.patch \
36 file://binutils_CVE-2014-8485.patch \
37 file://binutils_CVE-2014-8501.patch \
38 file://binutils_CVE-2014-8502_1.patch \
39 file://binutils_CVE-2014-8502.patch \
40 file://binutils_CVE-2014-8503.patch \
41 file://binutils_CVE-2014-8504.patch \
42 file://binutils_CVE-2014-8737.patch \
35 " 43 "
36 44
37SRC_URI[md5sum] = "e0f71a7b2ddab0f8612336ac81d9636b" 45SRC_URI[md5sum] = "e0f71a7b2ddab0f8612336ac81d9636b"
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch
new file mode 100644
index 0000000000..e789499477
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch
@@ -0,0 +1,67 @@
1Upstream-Status: Backport
2
3CVE-2014-8484 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From bd25671c6f202c4a5108883caa2adb24ff6f361f Mon Sep 17 00:00:00 2001
10From: Alan Modra <amodra@gmail.com>
11Date: Fri, 29 Aug 2014 10:36:29 +0930
12Subject: [PATCH] Report an error for S-records with less than the miniumum
13 size
14
15 * srec.c (srec_scan): Revert last change. Report an error for
16 S-records with less than the miniumum byte count.
17---
18 bfd/ChangeLog | 5 +++++
19 bfd/srec.c | 18 +++++++++++++++---
20 2 files changed, 20 insertions(+), 3 deletions(-)
21
22Index: binutils-2.24/bfd/srec.c
23===================================================================
24--- binutils-2.24.orig/bfd/srec.c
25+++ binutils-2.24/bfd/srec.c
26@@ -455,7 +455,7 @@ srec_scan (bfd *abfd)
27 {
28 file_ptr pos;
29 char hdr[3];
30- unsigned int bytes;
31+ unsigned int bytes, min_bytes;
32 bfd_vma address;
33 bfd_byte *data;
34 unsigned char check_sum;
35@@ -478,6 +478,19 @@ srec_scan (bfd *abfd)
36 }
37
38 check_sum = bytes = HEX (hdr + 1);
39+ min_bytes = 3;
40+ if (hdr[0] == '2' || hdr[0] == '8')
41+ min_bytes = 4;
42+ else if (hdr[0] == '3' || hdr[0] == '7')
43+ min_bytes = 5;
44+ if (bytes < min_bytes)
45+ {
46+ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"),
47+ abfd, lineno, bytes);
48+ bfd_set_error (bfd_error_bad_value);
49+ goto error_return;
50+ }
51+
52 if (bytes * 2 > bufsize)
53 {
54 if (buf != NULL)
55Index: binutils-2.24/bfd/ChangeLog
56===================================================================
57--- binutils-2.24.orig/bfd/ChangeLog
58+++ binutils-2.24/bfd/ChangeLog
59@@ -1,3 +1,8 @@
60+2014-08-29 Alan Modra <amodra@gmail.com>
61+
62+ * srec.c (srec_scan): Revert last change. Report an error for
63+ S-records with less than the miniumum byte count.
64+
65 2013-12-02 Tristan Gingold <gingold@adacore.com>
66
67 * configure.in: Bump version to 2.24
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch
new file mode 100644
index 0000000000..ec3308b4f4
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch
@@ -0,0 +1,102 @@
1Upstream-Status: Backport
2
3CVE-2014-8485 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From 493a33860c71cac998f1a56d6d87d6faa801fbaa Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Mon, 27 Oct 2014 12:43:16 +0000
12Subject: [PATCH] This patch closes a potential security hole in applications
13 that use the bfd library to parse binaries containing maliciously corrupt
14 section group headers.
15
16 PR binutils/17510
17 * elf.c (setup_group): Improve handling of corrupt group
18 sections.
19---
20 bfd/ChangeLog | 6 ++++++
21 bfd/elf.c | 34 ++++++++++++++++++++++++++++++----
22 2 files changed, 36 insertions(+), 4 deletions(-)
23
24Index: binutils-2.24/bfd/elf.c
25===================================================================
26--- binutils-2.24.orig/bfd/elf.c
27+++ binutils-2.24/bfd/elf.c
28@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shd
29 if (shdr->contents == NULL)
30 {
31 _bfd_error_handler
32- (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
33+ (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
34 bfd_set_error (bfd_error_bad_value);
35- return FALSE;
36+ -- num_group;
37+ continue;
38 }
39
40 memset (shdr->contents, 0, amt);
41@@ -618,7 +619,16 @@ setup_group (bfd *abfd, Elf_Internal_Shd
42 if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
43 || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
44 != shdr->sh_size))
45- return FALSE;
46+ {
47+ _bfd_error_handler
48+ (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
49+ bfd_set_error (bfd_error_bad_value);
50+ -- num_group;
51+ /* PR 17510: If the group contents are even partially
52+ corrupt, do not allow any of the contents to be used. */
53+ memset (shdr->contents, 0, amt);
54+ continue;
55+ }
56
57 /* Translate raw contents, a flag word followed by an
58 array of elf section indices all in target byte order,
59@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shd
60 }
61 }
62 }
63+
64+ /* PR 17510: Corrupt binaries might contain invalid groups. */
65+ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
66+ {
67+ elf_tdata (abfd)->num_group = num_group;
68+
69+ /* If all groups are invalid then fail. */
70+ if (num_group == 0)
71+ {
72+ elf_tdata (abfd)->group_sect_ptr = NULL;
73+ elf_tdata (abfd)->num_group = num_group = -1;
74+ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
75+ bfd_set_error (bfd_error_bad_value);
76+ }
77+ }
78 }
79 }
80
81@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shd
82 {
83 (*_bfd_error_handler) (_("%B: no group info for section %A"),
84 abfd, newsect);
85+ return FALSE;
86 }
87 return TRUE;
88 }
89Index: binutils-2.24/bfd/ChangeLog
90===================================================================
91--- binutils-2.24.orig/bfd/ChangeLog
92+++ binutils-2.24/bfd/ChangeLog
93@@ -1,3 +1,9 @@
94+2014-10-27 Nick Clifton <nickc@redhat.com>
95+
96+ PR binutils/17510
97+ * elf.c (setup_group): Improve handling of corrupt group
98+ sections.
99+
100 2014-08-29 Alan Modra <amodra@gmail.com>
101
102 * srec.c (srec_scan): Revert last change. Report an error for
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch
new file mode 100644
index 0000000000..a48fe9b23b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch
@@ -0,0 +1,60 @@
1Upstream-Status: Backport
2
3CVE-2014-8501 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From 7e1e19887abd24aeb15066b141cdff5541e0ec8e Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Mon, 27 Oct 2014 14:45:06 +0000
12Subject: [PATCH] Fix a seg-fault in strings and other binutuils when parsing a
13 corrupt PE executable with an invalid value in the NumberOfRvaAndSizes field
14 of the AOUT header.
15
16 PR binutils/17512
17 * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
18 with an invalid value for NumberOfRvaAndSizes.
19---
20 bfd/ChangeLog | 4 ++++
21 bfd/peXXigen.c | 12 ++++++++++++
22 2 files changed, 16 insertions(+)
23
24Index: binutils-2.24/bfd/peXXigen.c
25===================================================================
26--- binutils-2.24.orig/bfd/peXXigen.c
27+++ binutils-2.24/bfd/peXXigen.c
28@@ -460,6 +460,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
29 {
30 int idx;
31
32+ /* PR 17512: Corrupt PE binaries can cause seg-faults. */
33+ if (a->NumberOfRvaAndSizes > 16)
34+ {
35+ (*_bfd_error_handler)
36+ (_("%B: aout header specifies an invalid number of data-directory entries: %d"),
37+ abfd, a->NumberOfRvaAndSizes);
38+ /* Paranoia: If the number is corrupt, then assume that the
39+ actual entries themselves might be corrupt as well. */
40+ a->NumberOfRvaAndSizes = 0;
41+ }
42+
43+
44 for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
45 {
46 /* If data directory is empty, rva also should be 0. */
47Index: binutils-2.24/bfd/ChangeLog
48===================================================================
49--- binutils-2.24.orig/bfd/ChangeLog
50+++ binutils-2.24/bfd/ChangeLog
51@@ -1,5 +1,9 @@
52 2014-10-27 Nick Clifton <nickc@redhat.com>
53
54+ PR binutils/17512
55+ * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
56+ with an invalid value for NumberOfRvaAndSizes.
57+
58 PR binutils/17510
59 * elf.c (setup_group): Improve handling of corrupt group
60 sections.
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch
new file mode 100644
index 0000000000..05af65bad1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch
@@ -0,0 +1,89 @@
1Upstream-Status: Backport
2
3CVE-2014-8502 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Tue, 28 Oct 2014 15:42:56 +0000
12Subject: [PATCH] More fixes for corrupt binaries crashing the binutils.
13
14 PR binutils/17512
15 * elf.c (bfd_section_from_shdr): Allocate and free the recursion
16 detection table on a per-bfd basis.
17 * peXXigen.c (pe_print_edata): Handle binaries with a truncated
18 export table.
19---
20 bfd/ChangeLog | 8 ++++++++
21 bfd/elf.c | 16 +++++++++++++---
22 bfd/peXXigen.c | 9 +++++++++
23 3 files changed, 30 insertions(+), 3 deletions(-)
24
25Index: binutils-2.24/bfd/peXXigen.c
26===================================================================
27--- binutils-2.24.orig/bfd/peXXigen.c
28+++ binutils-2.24/bfd/peXXigen.c
29@@ -1438,6 +1438,15 @@ pe_print_edata (bfd * abfd, void * vfile
30 }
31 }
32
33+ /* PR 17512: Handle corrupt PE binaries. */
34+ if (datasize < 36)
35+ {
36+ fprintf (file,
37+ _("\nThere is an export table in %s, but it is too small (%d)\n"),
38+ section->name, (int) datasize);
39+ return TRUE;
40+ }
41+
42 fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
43 section->name, (unsigned long) addr);
44
45Index: binutils-2.24/bfd/elf.c
46===================================================================
47--- binutils-2.24.orig/bfd/elf.c
48+++ binutils-2.24/bfd/elf.c
49@@ -1576,6 +1576,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
50 const char *name;
51 bfd_boolean ret = TRUE;
52 static bfd_boolean * sections_being_created = NULL;
53+ static bfd * sections_being_created_abfd = NULL;
54 static unsigned int nesting = 0;
55
56 if (shindex >= elf_numsections (abfd))
57@@ -1588,13 +1589,20 @@ bfd_section_from_shdr (bfd *abfd, unsign
58 loop. Detect this here, by refusing to load a section that we are
59 already in the process of loading. We only trigger this test if
60 we have nested at least three sections deep as normal ELF binaries
61- can expect to recurse at least once. */
62+ can expect to recurse at least once.
63+
64+ FIXME: It would be better if this array was attached to the bfd,
65+ rather than being held in a static pointer. */
66+
67+ if (sections_being_created_abfd != abfd)
68+ sections_being_created = NULL;
69
70 if (sections_being_created == NULL)
71 {
72 /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
73 sections_being_created = (bfd_boolean *)
74 bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
75+ sections_being_created_abfd = abfd;
76 }
77 if (sections_being_created [shindex])
78 {
79@@ -2098,7 +2106,10 @@ bfd_section_from_shdr (bfd *abfd, unsign
80 if (sections_being_created)
81 sections_being_created [shindex] = FALSE;
82 if (-- nesting == 0)
83+ {
84 sections_being_created = NULL;
85+ sections_being_created_abfd = abfd;
86+ }
87 return ret;
88 }
89
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch
new file mode 100644
index 0000000000..9e0c9c8b3c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch
@@ -0,0 +1,523 @@
1Upstream-Status: Backport
2
3CVE-2014-8502 supporting patch.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From bf67003b4567600ed3022a439207ac8f26454f91 Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Mon, 27 Oct 2014 18:05:37 +0000
12Subject: [PATCH] This fixes more seg-faults in tools like "strings" and
13 "objdump" when presented with corrupt binaries.
14
15 PR binutils/17512
16 * elf.c (bfd_section_from_shdr): Detect and warn about ELF
17 binaries with a group of sections linked by the string table
18 indicies.
19 * peXXigen.c (pe_print_edata): Detect out of range rvas and
20 entry counts for the Export Address table, Name Pointer table
21 and Ordinal table.
22---
23 bfd/ChangeLog | 5 ++
24 bfd/elf.c | 194 ++++++++++++++++++++++++++++++++++++++-------------------
25 bfd/peXXigen.c | 18 +++++-
26 3 files changed, 150 insertions(+), 67 deletions(-)
27
28Index: binutils-2.24/bfd/elf.c
29===================================================================
30--- binutils-2.24.orig/bfd/elf.c
31+++ binutils-2.24/bfd/elf.c
32@@ -1574,38 +1574,67 @@ bfd_section_from_shdr (bfd *abfd, unsign
33 Elf_Internal_Ehdr *ehdr;
34 const struct elf_backend_data *bed;
35 const char *name;
36+ bfd_boolean ret = TRUE;
37+ static bfd_boolean * sections_being_created = NULL;
38+ static unsigned int nesting = 0;
39
40 if (shindex >= elf_numsections (abfd))
41 return FALSE;
42
43+ if (++ nesting > 3)
44+ {
45+ /* PR17512: A corrupt ELF binary might contain a recursive group of
46+ sections, each the string indicies pointing to the next in the
47+ loop. Detect this here, by refusing to load a section that we are
48+ already in the process of loading. We only trigger this test if
49+ we have nested at least three sections deep as normal ELF binaries
50+ can expect to recurse at least once. */
51+
52+ if (sections_being_created == NULL)
53+ {
54+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
55+ sections_being_created = (bfd_boolean *)
56+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
57+ }
58+ if (sections_being_created [shindex])
59+ {
60+ (*_bfd_error_handler)
61+ (_("%B: warning: loop in section dependencies detected"), abfd);
62+ return FALSE;
63+ }
64+ sections_being_created [shindex] = TRUE;
65+ }
66+
67 hdr = elf_elfsections (abfd)[shindex];
68 ehdr = elf_elfheader (abfd);
69 name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx,
70 hdr->sh_name);
71 if (name == NULL)
72- return FALSE;
73+ goto fail;
74
75 bed = get_elf_backend_data (abfd);
76 switch (hdr->sh_type)
77 {
78 case SHT_NULL:
79 /* Inactive section. Throw it away. */
80- return TRUE;
81+ goto success;
82
83- case SHT_PROGBITS: /* Normal section with contents. */
84- case SHT_NOBITS: /* .bss section. */
85- case SHT_HASH: /* .hash section. */
86- case SHT_NOTE: /* .note section. */
87+ case SHT_PROGBITS: /* Normal section with contents. */
88+ case SHT_NOBITS: /* .bss section. */
89+ case SHT_HASH: /* .hash section. */
90+ case SHT_NOTE: /* .note section. */
91 case SHT_INIT_ARRAY: /* .init_array section. */
92 case SHT_FINI_ARRAY: /* .fini_array section. */
93 case SHT_PREINIT_ARRAY: /* .preinit_array section. */
94 case SHT_GNU_LIBLIST: /* .gnu.liblist section. */
95 case SHT_GNU_HASH: /* .gnu.hash section. */
96- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
97+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
98+ goto success;
99
100 case SHT_DYNAMIC: /* Dynamic linking information. */
101 if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
102- return FALSE;
103+ goto fail;
104+
105 if (hdr->sh_link > elf_numsections (abfd))
106 {
107 /* PR 10478: Accept Solaris binaries with a sh_link
108@@ -1619,11 +1648,11 @@ bfd_section_from_shdr (bfd *abfd, unsign
109 break;
110 /* Otherwise fall through. */
111 default:
112- return FALSE;
113+ goto fail;
114 }
115 }
116 else if (elf_elfsections (abfd)[hdr->sh_link] == NULL)
117- return FALSE;
118+ goto fail;
119 else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
120 {
121 Elf_Internal_Shdr *dynsymhdr;
122@@ -1652,24 +1681,26 @@ bfd_section_from_shdr (bfd *abfd, unsign
123 }
124 }
125 }
126- break;
127+ goto success;
128
129- case SHT_SYMTAB: /* A symbol table */
130+ case SHT_SYMTAB: /* A symbol table. */
131 if (elf_onesymtab (abfd) == shindex)
132- return TRUE;
133+ goto success;
134
135 if (hdr->sh_entsize != bed->s->sizeof_sym)
136- return FALSE;
137+ goto fail;
138+
139 if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
140 {
141 if (hdr->sh_size != 0)
142- return FALSE;
143+ goto fail;
144 /* Some assemblers erroneously set sh_info to one with a
145 zero sh_size. ld sees this as a global symbol count
146 of (unsigned) -1. Fix it here. */
147 hdr->sh_info = 0;
148- return TRUE;
149+ goto success;
150 }
151+
152 BFD_ASSERT (elf_onesymtab (abfd) == 0);
153 elf_onesymtab (abfd) = shindex;
154 elf_tdata (abfd)->symtab_hdr = *hdr;
155@@ -1686,7 +1717,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
156 && (abfd->flags & DYNAMIC) != 0
157 && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
158 shindex))
159- return FALSE;
160+ goto fail;
161
162 /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
163 can't read symbols without that section loaded as well. It
164@@ -1712,26 +1743,29 @@ bfd_section_from_shdr (bfd *abfd, unsign
165 break;
166 }
167 if (i != shindex)
168- return bfd_section_from_shdr (abfd, i);
169+ ret = bfd_section_from_shdr (abfd, i);
170 }
171- return TRUE;
172+ goto success;
173
174- case SHT_DYNSYM: /* A dynamic symbol table */
175+ case SHT_DYNSYM: /* A dynamic symbol table. */
176 if (elf_dynsymtab (abfd) == shindex)
177- return TRUE;
178+ goto success;
179
180 if (hdr->sh_entsize != bed->s->sizeof_sym)
181- return FALSE;
182+ goto fail;
183+
184 if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size)
185 {
186 if (hdr->sh_size != 0)
187- return FALSE;
188+ goto fail;
189+
190 /* Some linkers erroneously set sh_info to one with a
191 zero sh_size. ld sees this as a global symbol count
192 of (unsigned) -1. Fix it here. */
193 hdr->sh_info = 0;
194- return TRUE;
195+ goto success;
196 }
197+
198 BFD_ASSERT (elf_dynsymtab (abfd) == 0);
199 elf_dynsymtab (abfd) = shindex;
200 elf_tdata (abfd)->dynsymtab_hdr = *hdr;
201@@ -1740,34 +1774,38 @@ bfd_section_from_shdr (bfd *abfd, unsign
202
203 /* Besides being a symbol table, we also treat this as a regular
204 section, so that objcopy can handle it. */
205- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
206+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
207+ goto success;
208
209- case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */
210+ case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */
211 if (elf_symtab_shndx (abfd) == shindex)
212- return TRUE;
213+ goto success;
214
215 BFD_ASSERT (elf_symtab_shndx (abfd) == 0);
216 elf_symtab_shndx (abfd) = shindex;
217 elf_tdata (abfd)->symtab_shndx_hdr = *hdr;
218 elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr;
219- return TRUE;
220+ goto success;
221
222- case SHT_STRTAB: /* A string table */
223+ case SHT_STRTAB: /* A string table. */
224 if (hdr->bfd_section != NULL)
225- return TRUE;
226+ goto success;
227+
228 if (ehdr->e_shstrndx == shindex)
229 {
230 elf_tdata (abfd)->shstrtab_hdr = *hdr;
231 elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr;
232- return TRUE;
233+ goto success;
234 }
235+
236 if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex)
237 {
238 symtab_strtab:
239 elf_tdata (abfd)->strtab_hdr = *hdr;
240 elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr;
241- return TRUE;
242+ goto success;
243 }
244+
245 if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex)
246 {
247 dynsymtab_strtab:
248@@ -1776,8 +1814,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
249 elf_elfsections (abfd)[shindex] = hdr;
250 /* We also treat this as a regular section, so that objcopy
251 can handle it. */
252- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
253- shindex);
254+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
255+ shindex);
256+ goto success;
257 }
258
259 /* If the string table isn't one of the above, then treat it as a
260@@ -1795,9 +1834,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
261 {
262 /* Prevent endless recursion on broken objects. */
263 if (i == shindex)
264- return FALSE;
265+ goto fail;
266 if (! bfd_section_from_shdr (abfd, i))
267- return FALSE;
268+ goto fail;
269 if (elf_onesymtab (abfd) == i)
270 goto symtab_strtab;
271 if (elf_dynsymtab (abfd) == i)
272@@ -1805,7 +1844,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
273 }
274 }
275 }
276- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
277+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
278+ goto success;
279
280 case SHT_REL:
281 case SHT_RELA:
282@@ -1820,7 +1860,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
283 if (hdr->sh_entsize
284 != (bfd_size_type) (hdr->sh_type == SHT_REL
285 ? bed->s->sizeof_rel : bed->s->sizeof_rela))
286- return FALSE;
287+ goto fail;
288
289 /* Check for a bogus link to avoid crashing. */
290 if (hdr->sh_link >= num_sec)
291@@ -1828,8 +1868,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
292 ((*_bfd_error_handler)
293 (_("%B: invalid link %lu for reloc section %s (index %u)"),
294 abfd, hdr->sh_link, name, shindex));
295- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
296- shindex);
297+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
298+ shindex);
299+ goto success;
300 }
301
302 /* For some incomprehensible reason Oracle distributes
303@@ -1870,7 +1911,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
304 if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
305 || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
306 && ! bfd_section_from_shdr (abfd, hdr->sh_link))
307- return FALSE;
308+ goto fail;
309
310 /* If this reloc section does not use the main symbol table we
311 don't treat it as a reloc section. BFD can't adequately
312@@ -1885,14 +1926,18 @@ bfd_section_from_shdr (bfd *abfd, unsign
313 || hdr->sh_info >= num_sec
314 || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
315 || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
316- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
317- shindex);
318+ {
319+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
320+ shindex);
321+ goto success;
322+ }
323
324 if (! bfd_section_from_shdr (abfd, hdr->sh_info))
325- return FALSE;
326+ goto fail;
327+
328 target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
329 if (target_sect == NULL)
330- return FALSE;
331+ goto fail;
332
333 esdt = elf_section_data (target_sect);
334 if (hdr->sh_type == SHT_RELA)
335@@ -1904,7 +1949,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
336 amt = sizeof (*hdr2);
337 hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
338 if (hdr2 == NULL)
339- return FALSE;
340+ goto fail;
341 *hdr2 = *hdr;
342 *p_hdr = hdr2;
343 elf_elfsections (abfd)[shindex] = hdr2;
344@@ -1920,34 +1965,40 @@ bfd_section_from_shdr (bfd *abfd, unsign
345 target_sect->use_rela_p = 1;
346 }
347 abfd->flags |= HAS_RELOC;
348- return TRUE;
349+ goto success;
350 }
351
352 case SHT_GNU_verdef:
353 elf_dynverdef (abfd) = shindex;
354 elf_tdata (abfd)->dynverdef_hdr = *hdr;
355- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
356+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
357+ goto success;
358
359 case SHT_GNU_versym:
360 if (hdr->sh_entsize != sizeof (Elf_External_Versym))
361- return FALSE;
362+ goto fail;
363+
364 elf_dynversym (abfd) = shindex;
365 elf_tdata (abfd)->dynversym_hdr = *hdr;
366- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
367+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
368+ goto success;
369
370 case SHT_GNU_verneed:
371 elf_dynverref (abfd) = shindex;
372 elf_tdata (abfd)->dynverref_hdr = *hdr;
373- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
374+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
375+ goto success;
376
377 case SHT_SHLIB:
378- return TRUE;
379+ goto success;
380
381 case SHT_GROUP:
382 if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE))
383- return FALSE;
384+ goto fail;
385+
386 if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
387- return FALSE;
388+ goto fail;
389+
390 if (hdr->contents != NULL)
391 {
392 Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
393@@ -1973,7 +2024,7 @@ bfd_section_from_shdr (bfd *abfd, unsign
394 }
395 }
396 }
397- break;
398+ goto success;
399
400 default:
401 /* Possibly an attributes section. */
402@@ -1981,14 +2032,14 @@ bfd_section_from_shdr (bfd *abfd, unsign
403 || hdr->sh_type == bed->obj_attrs_section_type)
404 {
405 if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
406- return FALSE;
407+ goto fail;
408 _bfd_elf_parse_attributes (abfd, hdr);
409- return TRUE;
410+ goto success;
411 }
412
413 /* Check for any processor-specific section types. */
414 if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex))
415- return TRUE;
416+ goto success;
417
418 if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
419 {
420@@ -2000,9 +2051,12 @@ bfd_section_from_shdr (bfd *abfd, unsign
421 "specific section `%s' [0x%8x]"),
422 abfd, name, hdr->sh_type);
423 else
424- /* Allow sections reserved for applications. */
425- return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
426- shindex);
427+ {
428+ /* Allow sections reserved for applications. */
429+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name,
430+ shindex);
431+ goto success;
432+ }
433 }
434 else if (hdr->sh_type >= SHT_LOPROC
435 && hdr->sh_type <= SHT_HIPROC)
436@@ -2023,8 +2077,11 @@ bfd_section_from_shdr (bfd *abfd, unsign
437 "`%s' [0x%8x]"),
438 abfd, name, hdr->sh_type);
439 else
440- /* Otherwise it should be processed. */
441- return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
442+ {
443+ /* Otherwise it should be processed. */
444+ ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
445+ goto success;
446+ }
447 }
448 else
449 /* FIXME: We should handle this section. */
450@@ -2032,10 +2089,17 @@ bfd_section_from_shdr (bfd *abfd, unsign
451 (_("%B: don't know how to handle section `%s' [0x%8x]"),
452 abfd, name, hdr->sh_type);
453
454- return FALSE;
455+ goto fail;
456 }
457
458- return TRUE;
459+ fail:
460+ ret = FALSE;
461+ success:
462+ if (sections_being_created)
463+ sections_being_created [shindex] = FALSE;
464+ if (-- nesting == 0)
465+ sections_being_created = NULL;
466+ return ret;
467 }
468
469 /* Return the local symbol specified by ABFD, R_SYMNDX. */
470Index: binutils-2.24/bfd/peXXigen.c
471===================================================================
472--- binutils-2.24.orig/bfd/peXXigen.c
473+++ binutils-2.24/bfd/peXXigen.c
474@@ -1528,7 +1528,12 @@ pe_print_edata (bfd * abfd, void * vfile
475 _("\nExport Address Table -- Ordinal Base %ld\n"),
476 edt.base);
477
478- for (i = 0; i < edt.num_functions; ++i)
479+ /* PR 17512: Handle corrupt PE binaries. */
480+ if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize)
481+ fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
482+ (long) edt.eat_addr,
483+ (long) edt.num_functions);
484+ else for (i = 0; i < edt.num_functions; ++i)
485 {
486 bfd_vma eat_member = bfd_get_32 (abfd,
487 data + edt.eat_addr + (i * 4) - adj);
488@@ -1564,7 +1569,16 @@ pe_print_edata (bfd * abfd, void * vfile
489 fprintf (file,
490 _("\n[Ordinal/Name Pointer] Table\n"));
491
492- for (i = 0; i < edt.num_names; ++i)
493+ /* PR 17512: Handle corrupt PE binaries. */
494+ if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize)
495+ fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"),
496+ (long) edt.npt_addr,
497+ (long) edt.num_names);
498+ else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize)
499+ fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"),
500+ (long) edt.ot_addr,
501+ (long) edt.num_names);
502+ else for (i = 0; i < edt.num_names; ++i)
503 {
504 bfd_vma name_ptr = bfd_get_32 (abfd,
505 data +
506Index: binutils-2.24/bfd/ChangeLog
507===================================================================
508--- binutils-2.24.orig/bfd/ChangeLog
509+++ binutils-2.24/bfd/ChangeLog
510@@ -1,8 +1,13 @@
511 2014-10-27 Nick Clifton <nickc@redhat.com>
512
513 PR binutils/17512
514+ * elf.c (bfd_section_from_shdr): Detect and warn about ELF
515+ binaries with a group of sections linked by the string table
516+ indicies.
517 * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
518 with an invalid value for NumberOfRvaAndSizes.
519+ (pe_print_edata): Detect out of range rvas and entry counts for
520+ the Export Address table, Name Pointer table and Ordinal table.
521
522 PR binutils/17510
523 * elf.c (setup_group): Improve handling of corrupt group
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch
new file mode 100644
index 0000000000..2dd3354fc1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch
@@ -0,0 +1,47 @@
1Upstream-Status: Backport
2
3CVE-2014-8503 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From 0102ea8cec5fc509bba6c91df61b7ce23a799d32 Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Thu, 30 Oct 2014 17:16:17 +0000
12Subject: [PATCH] Fixes a seg-fault in the ihex parser when it encounters a
13 malformed ihex file.
14
15 PR binutils/17512
16 * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.
17---
18 bfd/ChangeLog | 1 +
19 bfd/ihex.c | 2 +-
20 2 files changed, 2 insertions(+), 1 deletion(-)
21
22Index: binutils-2.24/bfd/ihex.c
23===================================================================
24--- binutils-2.24.orig/bfd/ihex.c
25+++ binutils-2.24/bfd/ihex.c
26@@ -322,7 +322,7 @@ ihex_scan (bfd *abfd)
27 {
28 if (! ISHEX (buf[i]))
29 {
30- ihex_bad_byte (abfd, lineno, hdr[i], error);
31+ ihex_bad_byte (abfd, lineno, buf[i], error);
32 goto error_return;
33 }
34 }
35Index: binutils-2.24/bfd/ChangeLog
36===================================================================
37--- binutils-2.24.orig/bfd/ChangeLog
38+++ binutils-2.24/bfd/ChangeLog
39@@ -1,3 +1,8 @@
40+2014-10-30 Nick Clifton <nickc@redhat.com>
41+
42+ PR binutils/17512
43+ * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.
44+
45 2014-10-27 Nick Clifton <nickc@redhat.com>
46
47 PR binutils/17512
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch
new file mode 100644
index 0000000000..b4d1d1ff61
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch
@@ -0,0 +1,75 @@
1Upstream-Status: Backport
2
3CVE-2014-8504 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Tue, 28 Oct 2014 10:48:14 +0000
12Subject: [PATCH] This patch fixes a flaw in the SREC parser which could cause
13 a stack overflow and potential secuiryt breach.
14
15 PR binutils/17510
16 * srec.c (srec_bad_byte): Increase size of buf to allow for
17 negative values.
18 (srec_scan): Use an unsigned char buffer to hold header bytes.
19---
20 bfd/ChangeLog | 8 ++++++++
21 bfd/elf.c | 2 +-
22 bfd/peXXigen.c | 1 -
23 bfd/srec.c | 4 ++--
24 4 files changed, 11 insertions(+), 4 deletions(-)
25
26Index: binutils-2.24/bfd/ChangeLog
27===================================================================
28--- binutils-2.24.orig/bfd/ChangeLog
29+++ binutils-2.24/bfd/ChangeLog
30@@ -1,3 +1,11 @@
31+2014-10-28 Andreas Schwab <schwab@suse.de>
32+ Nick Clifton <nickc@redhat.com>
33+
34+ PR binutils/17510
35+ * srec.c (srec_bad_byte): Increase size of buf to allow for
36+ negative values.
37+ (srec_scan): Use an unsigned char buffer to hold header bytes.
38+
39 2014-10-30 Nick Clifton <nickc@redhat.com>
40
41 PR binutils/17512
42Index: binutils-2.24/bfd/peXXigen.c
43===================================================================
44--- binutils-2.24.orig/bfd/peXXigen.c
45+++ binutils-2.24/bfd/peXXigen.c
46@@ -471,7 +471,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
47 a->NumberOfRvaAndSizes = 0;
48 }
49
50-
51 for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
52 {
53 /* If data directory is empty, rva also should be 0. */
54Index: binutils-2.24/bfd/srec.c
55===================================================================
56--- binutils-2.24.orig/bfd/srec.c
57+++ binutils-2.24/bfd/srec.c
58@@ -248,7 +248,7 @@ srec_bad_byte (bfd *abfd,
59 }
60 else
61 {
62- char buf[10];
63+ char buf[40];
64
65 if (! ISPRINT (c))
66 sprintf (buf, "\\%03o", (unsigned int) c);
67@@ -454,7 +454,7 @@ srec_scan (bfd *abfd)
68 case 'S':
69 {
70 file_ptr pos;
71- char hdr[3];
72+ unsigned char hdr[3];
73 unsigned int bytes, min_bytes;
74 bfd_vma address;
75 bfd_byte *data;
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch
new file mode 100644
index 0000000000..4a84562201
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch
@@ -0,0 +1,177 @@
1Upstream-Status: Backport
2
3CVE-2014-8737 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Thu, 6 Nov 2014 14:49:10 +0000
12Subject: [PATCH] Prevent archive memebers with illegal pathnames from being
13 extracted from an archive.
14
15 PR binutils/17552, binutils/17533
16 * bucomm.c (is_valid_archive_path): New function. Returns false
17 for absolute pathnames and pathnames that include /../.
18 * bucomm.h (is_valid_archive_path): Add prototype.
19 * ar.c (extract_file): Use new function to check for valid
20 pathnames when extracting files from an archive.
21 * objcopy.c (copy_archive): Likewise.
22 * doc/binutils.texi: Update documentation to mention the
23 limitation on pathname of archive members.
24---
25 binutils/ChangeLog | 16 ++++++++++++++--
26 binutils/ar.c | 9 +++++++++
27 binutils/bucomm.c | 26 ++++++++++++++++++++++++++
28 binutils/bucomm.h | 12 ++++++++----
29 binutils/doc/binutils.texi | 3 ++-
30 binutils/objcopy.c | 6 ++++++
31 6 files changed, 65 insertions(+), 7 deletions(-)
32
33Index: binutils-2.24/binutils/ar.c
34===================================================================
35--- binutils-2.24.orig/binutils/ar.c
36+++ binutils-2.24/binutils/ar.c
37@@ -1031,6 +1031,15 @@ extract_file (bfd *abfd)
38 bfd_size_type size;
39 struct stat buf;
40
41+ /* PR binutils/17533: Do not allow directory traversal
42+ outside of the current directory tree. */
43+ if (! is_valid_archive_path (bfd_get_filename (abfd)))
44+ {
45+ non_fatal (_("illegal pathname found in archive member: %s"),
46+ bfd_get_filename (abfd));
47+ return;
48+ }
49+
50 if (bfd_stat_arch_elt (abfd, &buf) != 0)
51 /* xgettext:c-format */
52 fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
53Index: binutils-2.24/binutils/bucomm.c
54===================================================================
55--- binutils-2.24.orig/binutils/bucomm.c
56+++ binutils-2.24/binutils/bucomm.c
57@@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abf
58 bfd_get_filename (abfd));
59 return buf;
60 }
61+
62+/* Returns TRUE iff PATHNAME, a filename of an archive member,
63+ is valid for writing. For security reasons absolute paths
64+ and paths containing /../ are not allowed. See PR 17533. */
65+
66+bfd_boolean
67+is_valid_archive_path (char const * pathname)
68+{
69+ const char * n = pathname;
70+
71+ if (IS_ABSOLUTE_PATH (n))
72+ return FALSE;
73+
74+ while (*n)
75+ {
76+ if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))
77+ return FALSE;
78+
79+ while (*n && ! IS_DIR_SEPARATOR (*n))
80+ n++;
81+ while (IS_DIR_SEPARATOR (*n))
82+ n++;
83+ }
84+
85+ return TRUE;
86+}
87Index: binutils-2.24/binutils/bucomm.h
88===================================================================
89--- binutils-2.24.orig/binutils/bucomm.h
90+++ binutils-2.24/binutils/bucomm.h
91@@ -23,6 +23,8 @@
92 #ifndef _BUCOMM_H
93 #define _BUCOMM_H
94
95+/* In bucomm.c. */
96+
97 /* Return the filename in a static buffer. */
98 const char *bfd_get_archive_filename (const bfd *);
99
100@@ -58,20 +60,22 @@ bfd_vma parse_vma (const char *, const c
101
102 off_t get_file_size (const char *);
103
104+bfd_boolean is_valid_archive_path (char const *);
105+
106 extern char *program_name;
107
108-/* filemode.c */
109+/* In filemode.c. */
110 void mode_string (unsigned long, char *);
111
112-/* version.c */
113+/* In version.c. */
114 extern void print_version (const char *);
115
116-/* rename.c */
117+/* In rename.c. */
118 extern void set_times (const char *, const struct stat *);
119
120 extern int smart_rename (const char *, const char *, int);
121
122-/* libiberty. */
123+/* In libiberty. */
124 void *xmalloc (size_t);
125
126 void *xrealloc (void *, size_t);
127Index: binutils-2.24/binutils/doc/binutils.texi
128===================================================================
129--- binutils-2.24.orig/binutils/doc/binutils.texi
130+++ binutils-2.24/binutils/doc/binutils.texi
131@@ -234,7 +234,8 @@ a normal archive. Instead the elements
132 individually to the second archive.
133
134 The paths to the elements of the archive are stored relative to the
135-archive itself.
136+archive itself. For security reasons absolute paths and paths with a
137+@code{/../} component are not allowed.
138
139 @cindex compatibility, @command{ar}
140 @cindex @command{ar} compatibility
141Index: binutils-2.24/binutils/objcopy.c
142===================================================================
143--- binutils-2.24.orig/binutils/objcopy.c
144+++ binutils-2.24/binutils/objcopy.c
145@@ -2206,6 +2206,12 @@ copy_archive (bfd *ibfd, bfd *obfd, cons
146 bfd_boolean del = TRUE;
147 bfd_boolean ok_object;
148
149+ /* PR binutils/17533: Do not allow directory traversal
150+ outside of the current directory tree by archive members. */
151+ if (! is_valid_archive_path (bfd_get_filename (this_element)))
152+ fatal (_("illegal pathname found in archive member: %s"),
153+ bfd_get_filename (this_element));
154+
155 /* Create an output file for this member. */
156 output_name = concat (dir, "/",
157 bfd_get_filename (this_element), (char *) 0);
158Index: binutils-2.24/binutils/ChangeLog
159===================================================================
160--- binutils-2.24.orig/binutils/ChangeLog
161+++ binutils-2.24/binutils/ChangeLog
162@@ -1,3 +1,15 @@
163+2014-11-06 Nick Clifton <nickc@redhat.com>
164+
165+ PR binutils/17552, binutils/17533
166+ * bucomm.c (is_valid_archive_path): New function. Returns false
167+ for absolute pathnames and pathnames that include /../.
168+ * bucomm.h (is_valid_archive_path): Add prototype.
169+ * ar.c (extract_file): Use new function to check for valid
170+ pathnames when extracting files from an archive.
171+ * objcopy.c (copy_archive): Likewise.
172+ * doc/binutils.texi: Update documentation to mention the
173+ limitation on pathname of archive members.
174+
175 2013-11-22 Cory Fields <cory@coryfields.com>
176
177 * windres.c (define_resource): Use zero for timestamp, making