binutls: Security fix CVE-2018-7208

Affects <= 2.30 (From OE-Core rev: a994ef27a997bce0dd18f8e507b8d795b8111aeb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-05 21:59:02 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-06 16:24:02 +0100
commit: 3db593919bcb10938d02f6eec1a026d16191b225 (patch)
tree: 5c81480d9ad0bb2e568c0183e1f2e960d1f8bbf2 /meta/recipes-devtools
parent: e23d92483830a7e93ba367a282247fee097837d6 (diff)
download: poky-3db593919bcb10938d02f6eec1a026d16191b225.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc
index 6b915fa093..3a39d5f7b8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
     file://CVE-2018-6872.patch \ 
     file://CVE-2018-6759.patch \
     file://CVE-2018-7642.patch \
+     file://CVE-2018-7208.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
new file mode 100644
index 0000000000..8efefebc23
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
@@ -0,0 +1,47 @@
+From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 27 Jan 2018 08:19:33 +1030
+Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
+        PR 22741
+        * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+        range before converting to a symbol table pointer.
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE:  CVE-2018-7208
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/coffgen.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+Index: git/bfd/coffgen.c
+===================================================================
+--- git.orig/bfd/coffgen.c
+++ git/bfd/coffgen.c
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
+  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
+      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+        table_base + auxent->u.auxent.x_sym.x_tagndx.l;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2018-01-29  Alan Modra  <amodra@gmail.com>
+
+       PR 22741
+       * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+       range before converting to a symbol table pointer.
+
+ 2018-02-28  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22887
author	Armin Kuster <akuster@mvista.com>	2018-08-05 21:59:02 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-06 16:24:02 +0100
commit	3db593919bcb10938d02f6eec1a026d16191b225 (patch)
tree	5c81480d9ad0bb2e568c0183e1f2e960d1f8bbf2 /meta/recipes-devtools
parent	e23d92483830a7e93ba367a282247fee097837d6 (diff)
download	poky-3db593919bcb10938d02f6eec1a026d16191b225.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc index 6b915fa093..3a39d5f7b8 100644 --- a/meta/recipes-devtools/binutils/binutils-2.30.inc +++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
40	file://CVE-2018-6872.patch \	40	file://CVE-2018-6872.patch \
41	file://CVE-2018-6759.patch \	41	file://CVE-2018-6759.patch \
42	file://CVE-2018-7642.patch \	42	file://CVE-2018-7642.patch \
		43	file://CVE-2018-7208.patch \
43	"	44	"
44	S = "${WORKDIR}/git"	45	S = "${WORKDIR}/git"
45		46


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch new file mode 100644 index 0000000000..8efefebc23 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
@@ -0,0 +1,47 @@
		1	From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Sat, 27 Jan 2018 08:19:33 +1030
		4	Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
		5
		6	PR 22741
		7	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
		8	range before converting to a symbol table pointer.
		9
		10	Upstream-Status: Backport
		11	Affects: Binutils <= 2.30
		12	CVE: CVE-2018-7208
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	bfd/ChangeLog \| 6 ++++++
		17	bfd/coffgen.c \| 3 ++-
		18	2 files changed, 8 insertions(+), 1 deletion(-)
		19
		20	Index: git/bfd/coffgen.c
		21	===================================================================
		22	--- git.orig/bfd/coffgen.c
		23	+++ git/bfd/coffgen.c
		24	@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
		25	}
		26	/* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
		27	generate one, so we must be careful to ignore it. */
		28	- if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
		29	+ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
		30	+ < obj_raw_syment_count (abfd))
		31	{
		32	auxent->u.auxent.x_sym.x_tagndx.p =
		33	table_base + auxent->u.auxent.x_sym.x_tagndx.l;
		34	Index: git/bfd/ChangeLog
		35	===================================================================
		36	--- git.orig/bfd/ChangeLog
		37	+++ git/bfd/ChangeLog
		38	@@ -1,3 +1,9 @@
		39	+2018-01-29 Alan Modra <amodra@gmail.com>
		40	+
		41	+ PR 22741
		42	+ * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
		43	+ range before converting to a symbol table pointer.
		44	+
		45	2018-02-28 Alan Modra <amodra@gmail.com>
		46
		47	PR 22887