From d85be1b736069ccad25b552cb1a431dad6d04270 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Mon, 6 Aug 2018 19:41:18 -0700 Subject: binutls: Security fix for CVE-2017-15996 Affects: <= 2.29.1 (From OE-Core rev: ee5ad659a9f2ea1714e3ae51ca1948f165fb21d3) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 + .../binutils/binutils/CVE-2017-15996.patch | 84 ++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index cb0502d4b5..cf131c62a0 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -51,6 +51,7 @@ SRC_URI = "\ file://CVE-2017-15025.patch \ file://CVE-2017-15225.patch \ file://CVE-2017-15939.patch \ + file://CVE-2017-15996.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch new file mode 100644 index 0000000000..dab8380e33 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch @@ -0,0 +1,84 @@ +From d91f0b20e561e326ee91a09a76206257bde8438b Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 28 Oct 2017 21:31:16 +1030 +Subject: [PATCH] PR22361 readelf buffer overflow on fuzzed archive header + + PR 22361 + * readelf.c (process_archive_index_and_symbols): Ensure ar_size + field is zero terminated for strtoul. + (setup_archive, get_archive_member_name): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-15996 +Signed-off-by: Armin Kuster + +--- + binutils/ChangeLog | 7 +++++++ + binutils/elfcomm.c | 11 +++++++++++ + 2 files changed, 18 insertions(+) + +Index: git/binutils/elfcomm.c +=================================================================== +--- git.orig/binutils/elfcomm.c ++++ git/binutils/elfcomm.c +@@ -466,8 +466,12 @@ process_archive_index_and_symbols (struc + { + size_t got; + unsigned long size; ++ char fmag_save; + ++ fmag_save = arch->arhdr.ar_fmag[0]; ++ arch->arhdr.ar_fmag[0] = 0; + size = strtoul (arch->arhdr.ar_size, NULL, 10); ++ arch->arhdr.ar_fmag[0] = fmag_save; + /* PR 17531: file: 912bd7de. */ + if ((signed long) size < 0) + { +@@ -655,7 +659,10 @@ setup_archive (struct archive_info *arch + if (const_strneq (arch->arhdr.ar_name, "// ")) + { + /* This is the archive string table holding long member names. */ ++ char fmag_save = arch->arhdr.ar_fmag[0]; ++ arch->arhdr.ar_fmag[0] = 0; + arch->longnames_size = strtoul (arch->arhdr.ar_size, NULL, 10); ++ arch->arhdr.ar_fmag[0] = fmag_save; + /* PR 17531: file: 01068045. */ + if (arch->longnames_size < 8) + { +@@ -758,6 +765,7 @@ get_archive_member_name (struct archive_ + char *endp; + char *member_file_name; + char *member_name; ++ char fmag_save; + + if (arch->longnames == NULL || arch->longnames_size == 0) + { +@@ -766,9 +774,12 @@ get_archive_member_name (struct archive_ + } + + arch->nested_member_origin = 0; ++ fmag_save = arch->arhdr.ar_fmag[0]; ++ arch->arhdr.ar_fmag[0] = 0; + k = j = strtoul (arch->arhdr.ar_name + 1, &endp, 10); + if (arch->is_thin_archive && endp != NULL && * endp == ':') + arch->nested_member_origin = strtoul (endp + 1, NULL, 10); ++ arch->arhdr.ar_fmag[0] = fmag_save; + + if (j > arch->longnames_size) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-10-28 Alan Modra ++ ++ PR 22361 ++ * readelf.c (process_archive_index_and_symbols): Ensure ar_size ++ field is zero terminated for strtoul. ++ (setup_archive, get_archive_member_name): Likewise. ++ + 2017-09-26 Alan Modra + + PR 22205 -- cgit v1.2.3-54-g00ecf