summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch')
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch177
1 files changed, 177 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch
new file mode 100644
index 0000000000..4a84562201
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch
@@ -0,0 +1,177 @@
1Upstream-Status: Backport
2
3CVE-2014-8737 fix.
4
5[YOCTO #7084]
6
7Signed-off-by: Armin Kuster <akuster808@gmail.com>
8
9From dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Mon Sep 17 00:00:00 2001
10From: Nick Clifton <nickc@redhat.com>
11Date: Thu, 6 Nov 2014 14:49:10 +0000
12Subject: [PATCH] Prevent archive memebers with illegal pathnames from being
13 extracted from an archive.
14
15 PR binutils/17552, binutils/17533
16 * bucomm.c (is_valid_archive_path): New function. Returns false
17 for absolute pathnames and pathnames that include /../.
18 * bucomm.h (is_valid_archive_path): Add prototype.
19 * ar.c (extract_file): Use new function to check for valid
20 pathnames when extracting files from an archive.
21 * objcopy.c (copy_archive): Likewise.
22 * doc/binutils.texi: Update documentation to mention the
23 limitation on pathname of archive members.
24---
25 binutils/ChangeLog | 16 ++++++++++++++--
26 binutils/ar.c | 9 +++++++++
27 binutils/bucomm.c | 26 ++++++++++++++++++++++++++
28 binutils/bucomm.h | 12 ++++++++----
29 binutils/doc/binutils.texi | 3 ++-
30 binutils/objcopy.c | 6 ++++++
31 6 files changed, 65 insertions(+), 7 deletions(-)
32
33Index: binutils-2.24/binutils/ar.c
34===================================================================
35--- binutils-2.24.orig/binutils/ar.c
36+++ binutils-2.24/binutils/ar.c
37@@ -1031,6 +1031,15 @@ extract_file (bfd *abfd)
38 bfd_size_type size;
39 struct stat buf;
40
41+ /* PR binutils/17533: Do not allow directory traversal
42+ outside of the current directory tree. */
43+ if (! is_valid_archive_path (bfd_get_filename (abfd)))
44+ {
45+ non_fatal (_("illegal pathname found in archive member: %s"),
46+ bfd_get_filename (abfd));
47+ return;
48+ }
49+
50 if (bfd_stat_arch_elt (abfd, &buf) != 0)
51 /* xgettext:c-format */
52 fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
53Index: binutils-2.24/binutils/bucomm.c
54===================================================================
55--- binutils-2.24.orig/binutils/bucomm.c
56+++ binutils-2.24/binutils/bucomm.c
57@@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abf
58 bfd_get_filename (abfd));
59 return buf;
60 }
61+
62+/* Returns TRUE iff PATHNAME, a filename of an archive member,
63+ is valid for writing. For security reasons absolute paths
64+ and paths containing /../ are not allowed. See PR 17533. */
65+
66+bfd_boolean
67+is_valid_archive_path (char const * pathname)
68+{
69+ const char * n = pathname;
70+
71+ if (IS_ABSOLUTE_PATH (n))
72+ return FALSE;
73+
74+ while (*n)
75+ {
76+ if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))
77+ return FALSE;
78+
79+ while (*n && ! IS_DIR_SEPARATOR (*n))
80+ n++;
81+ while (IS_DIR_SEPARATOR (*n))
82+ n++;
83+ }
84+
85+ return TRUE;
86+}
87Index: binutils-2.24/binutils/bucomm.h
88===================================================================
89--- binutils-2.24.orig/binutils/bucomm.h
90+++ binutils-2.24/binutils/bucomm.h
91@@ -23,6 +23,8 @@
92 #ifndef _BUCOMM_H
93 #define _BUCOMM_H
94
95+/* In bucomm.c. */
96+
97 /* Return the filename in a static buffer. */
98 const char *bfd_get_archive_filename (const bfd *);
99
100@@ -58,20 +60,22 @@ bfd_vma parse_vma (const char *, const c
101
102 off_t get_file_size (const char *);
103
104+bfd_boolean is_valid_archive_path (char const *);
105+
106 extern char *program_name;
107
108-/* filemode.c */
109+/* In filemode.c. */
110 void mode_string (unsigned long, char *);
111
112-/* version.c */
113+/* In version.c. */
114 extern void print_version (const char *);
115
116-/* rename.c */
117+/* In rename.c. */
118 extern void set_times (const char *, const struct stat *);
119
120 extern int smart_rename (const char *, const char *, int);
121
122-/* libiberty. */
123+/* In libiberty. */
124 void *xmalloc (size_t);
125
126 void *xrealloc (void *, size_t);
127Index: binutils-2.24/binutils/doc/binutils.texi
128===================================================================
129--- binutils-2.24.orig/binutils/doc/binutils.texi
130+++ binutils-2.24/binutils/doc/binutils.texi
131@@ -234,7 +234,8 @@ a normal archive. Instead the elements
132 individually to the second archive.
133
134 The paths to the elements of the archive are stored relative to the
135-archive itself.
136+archive itself. For security reasons absolute paths and paths with a
137+@code{/../} component are not allowed.
138
139 @cindex compatibility, @command{ar}
140 @cindex @command{ar} compatibility
141Index: binutils-2.24/binutils/objcopy.c
142===================================================================
143--- binutils-2.24.orig/binutils/objcopy.c
144+++ binutils-2.24/binutils/objcopy.c
145@@ -2206,6 +2206,12 @@ copy_archive (bfd *ibfd, bfd *obfd, cons
146 bfd_boolean del = TRUE;
147 bfd_boolean ok_object;
148
149+ /* PR binutils/17533: Do not allow directory traversal
150+ outside of the current directory tree by archive members. */
151+ if (! is_valid_archive_path (bfd_get_filename (this_element)))
152+ fatal (_("illegal pathname found in archive member: %s"),
153+ bfd_get_filename (this_element));
154+
155 /* Create an output file for this member. */
156 output_name = concat (dir, "/",
157 bfd_get_filename (this_element), (char *) 0);
158Index: binutils-2.24/binutils/ChangeLog
159===================================================================
160--- binutils-2.24.orig/binutils/ChangeLog
161+++ binutils-2.24/binutils/ChangeLog
162@@ -1,3 +1,15 @@
163+2014-11-06 Nick Clifton <nickc@redhat.com>
164+
165+ PR binutils/17552, binutils/17533
166+ * bucomm.c (is_valid_archive_path): New function. Returns false
167+ for absolute pathnames and pathnames that include /../.
168+ * bucomm.h (is_valid_archive_path): Add prototype.
169+ * ar.c (extract_file): Use new function to check for valid
170+ pathnames when extracting files from an archive.
171+ * objcopy.c (copy_archive): Likewise.
172+ * doc/binutils.texi: Update documentation to mention the
173+ limitation on pathname of archive members.
174+
175 2013-11-22 Cory Fields <cory@coryfields.com>
176
177 * windres.c (define_resource): Use zero for timestamp, making