diff options
author | Armin Kuster <akuster808@gmail.com> | 2014-12-26 08:51:53 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-12-27 22:53:40 +0000 |
commit | 6dde745bf90d9f9e52af3779df28879d91cbc64c (patch) | |
tree | d12c1b2cae393e4732c31fd503b4f0967921b3bb /meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch | |
parent | 508c95d9896ddfa892aa2e9a26a4508112658ad5 (diff) | |
download | poky-6dde745bf90d9f9e52af3779df28879d91cbc64c.tar.gz |
binutils: several security fixes
CVE-2014-8484
CVE-2014-8485
CVE-2014-8501
CVE-2014-8502
CVE-2014-8503
CVE-2014-8504
CVE-2014-8737
and one supporting patch.
[Yocto # 7084]
(From OE-Core rev: 859fb4d9ec6974be9ce755e4ffefd9b199f3604c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch new file mode 100644 index 0000000000..4a84562201 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch | |||
@@ -0,0 +1,177 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8737 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Thu, 6 Nov 2014 14:49:10 +0000 | ||
12 | Subject: [PATCH] Prevent archive memebers with illegal pathnames from being | ||
13 | extracted from an archive. | ||
14 | |||
15 | PR binutils/17552, binutils/17533 | ||
16 | * bucomm.c (is_valid_archive_path): New function. Returns false | ||
17 | for absolute pathnames and pathnames that include /../. | ||
18 | * bucomm.h (is_valid_archive_path): Add prototype. | ||
19 | * ar.c (extract_file): Use new function to check for valid | ||
20 | pathnames when extracting files from an archive. | ||
21 | * objcopy.c (copy_archive): Likewise. | ||
22 | * doc/binutils.texi: Update documentation to mention the | ||
23 | limitation on pathname of archive members. | ||
24 | --- | ||
25 | binutils/ChangeLog | 16 ++++++++++++++-- | ||
26 | binutils/ar.c | 9 +++++++++ | ||
27 | binutils/bucomm.c | 26 ++++++++++++++++++++++++++ | ||
28 | binutils/bucomm.h | 12 ++++++++---- | ||
29 | binutils/doc/binutils.texi | 3 ++- | ||
30 | binutils/objcopy.c | 6 ++++++ | ||
31 | 6 files changed, 65 insertions(+), 7 deletions(-) | ||
32 | |||
33 | Index: binutils-2.24/binutils/ar.c | ||
34 | =================================================================== | ||
35 | --- binutils-2.24.orig/binutils/ar.c | ||
36 | +++ binutils-2.24/binutils/ar.c | ||
37 | @@ -1031,6 +1031,15 @@ extract_file (bfd *abfd) | ||
38 | bfd_size_type size; | ||
39 | struct stat buf; | ||
40 | |||
41 | + /* PR binutils/17533: Do not allow directory traversal | ||
42 | + outside of the current directory tree. */ | ||
43 | + if (! is_valid_archive_path (bfd_get_filename (abfd))) | ||
44 | + { | ||
45 | + non_fatal (_("illegal pathname found in archive member: %s"), | ||
46 | + bfd_get_filename (abfd)); | ||
47 | + return; | ||
48 | + } | ||
49 | + | ||
50 | if (bfd_stat_arch_elt (abfd, &buf) != 0) | ||
51 | /* xgettext:c-format */ | ||
52 | fatal (_("internal stat error on %s"), bfd_get_filename (abfd)); | ||
53 | Index: binutils-2.24/binutils/bucomm.c | ||
54 | =================================================================== | ||
55 | --- binutils-2.24.orig/binutils/bucomm.c | ||
56 | +++ binutils-2.24/binutils/bucomm.c | ||
57 | @@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abf | ||
58 | bfd_get_filename (abfd)); | ||
59 | return buf; | ||
60 | } | ||
61 | + | ||
62 | +/* Returns TRUE iff PATHNAME, a filename of an archive member, | ||
63 | + is valid for writing. For security reasons absolute paths | ||
64 | + and paths containing /../ are not allowed. See PR 17533. */ | ||
65 | + | ||
66 | +bfd_boolean | ||
67 | +is_valid_archive_path (char const * pathname) | ||
68 | +{ | ||
69 | + const char * n = pathname; | ||
70 | + | ||
71 | + if (IS_ABSOLUTE_PATH (n)) | ||
72 | + return FALSE; | ||
73 | + | ||
74 | + while (*n) | ||
75 | + { | ||
76 | + if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n))) | ||
77 | + return FALSE; | ||
78 | + | ||
79 | + while (*n && ! IS_DIR_SEPARATOR (*n)) | ||
80 | + n++; | ||
81 | + while (IS_DIR_SEPARATOR (*n)) | ||
82 | + n++; | ||
83 | + } | ||
84 | + | ||
85 | + return TRUE; | ||
86 | +} | ||
87 | Index: binutils-2.24/binutils/bucomm.h | ||
88 | =================================================================== | ||
89 | --- binutils-2.24.orig/binutils/bucomm.h | ||
90 | +++ binutils-2.24/binutils/bucomm.h | ||
91 | @@ -23,6 +23,8 @@ | ||
92 | #ifndef _BUCOMM_H | ||
93 | #define _BUCOMM_H | ||
94 | |||
95 | +/* In bucomm.c. */ | ||
96 | + | ||
97 | /* Return the filename in a static buffer. */ | ||
98 | const char *bfd_get_archive_filename (const bfd *); | ||
99 | |||
100 | @@ -58,20 +60,22 @@ bfd_vma parse_vma (const char *, const c | ||
101 | |||
102 | off_t get_file_size (const char *); | ||
103 | |||
104 | +bfd_boolean is_valid_archive_path (char const *); | ||
105 | + | ||
106 | extern char *program_name; | ||
107 | |||
108 | -/* filemode.c */ | ||
109 | +/* In filemode.c. */ | ||
110 | void mode_string (unsigned long, char *); | ||
111 | |||
112 | -/* version.c */ | ||
113 | +/* In version.c. */ | ||
114 | extern void print_version (const char *); | ||
115 | |||
116 | -/* rename.c */ | ||
117 | +/* In rename.c. */ | ||
118 | extern void set_times (const char *, const struct stat *); | ||
119 | |||
120 | extern int smart_rename (const char *, const char *, int); | ||
121 | |||
122 | -/* libiberty. */ | ||
123 | +/* In libiberty. */ | ||
124 | void *xmalloc (size_t); | ||
125 | |||
126 | void *xrealloc (void *, size_t); | ||
127 | Index: binutils-2.24/binutils/doc/binutils.texi | ||
128 | =================================================================== | ||
129 | --- binutils-2.24.orig/binutils/doc/binutils.texi | ||
130 | +++ binutils-2.24/binutils/doc/binutils.texi | ||
131 | @@ -234,7 +234,8 @@ a normal archive. Instead the elements | ||
132 | individually to the second archive. | ||
133 | |||
134 | The paths to the elements of the archive are stored relative to the | ||
135 | -archive itself. | ||
136 | +archive itself. For security reasons absolute paths and paths with a | ||
137 | +@code{/../} component are not allowed. | ||
138 | |||
139 | @cindex compatibility, @command{ar} | ||
140 | @cindex @command{ar} compatibility | ||
141 | Index: binutils-2.24/binutils/objcopy.c | ||
142 | =================================================================== | ||
143 | --- binutils-2.24.orig/binutils/objcopy.c | ||
144 | +++ binutils-2.24/binutils/objcopy.c | ||
145 | @@ -2206,6 +2206,12 @@ copy_archive (bfd *ibfd, bfd *obfd, cons | ||
146 | bfd_boolean del = TRUE; | ||
147 | bfd_boolean ok_object; | ||
148 | |||
149 | + /* PR binutils/17533: Do not allow directory traversal | ||
150 | + outside of the current directory tree by archive members. */ | ||
151 | + if (! is_valid_archive_path (bfd_get_filename (this_element))) | ||
152 | + fatal (_("illegal pathname found in archive member: %s"), | ||
153 | + bfd_get_filename (this_element)); | ||
154 | + | ||
155 | /* Create an output file for this member. */ | ||
156 | output_name = concat (dir, "/", | ||
157 | bfd_get_filename (this_element), (char *) 0); | ||
158 | Index: binutils-2.24/binutils/ChangeLog | ||
159 | =================================================================== | ||
160 | --- binutils-2.24.orig/binutils/ChangeLog | ||
161 | +++ binutils-2.24/binutils/ChangeLog | ||
162 | @@ -1,3 +1,15 @@ | ||
163 | +2014-11-06 Nick Clifton <nickc@redhat.com> | ||
164 | + | ||
165 | + PR binutils/17552, binutils/17533 | ||
166 | + * bucomm.c (is_valid_archive_path): New function. Returns false | ||
167 | + for absolute pathnames and pathnames that include /../. | ||
168 | + * bucomm.h (is_valid_archive_path): Add prototype. | ||
169 | + * ar.c (extract_file): Use new function to check for valid | ||
170 | + pathnames when extracting files from an archive. | ||
171 | + * objcopy.c (copy_archive): Likewise. | ||
172 | + * doc/binutils.texi: Update documentation to mention the | ||
173 | + limitation on pathname of archive members. | ||
174 | + | ||
175 | 2013-11-22 Cory Fields <cory@coryfields.com> | ||
176 | |||
177 | * windres.c (define_resource): Use zero for timestamp, making | ||