summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 02:41:18 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 09:22:45 (GMT)
commitd85be1b736069ccad25b552cb1a431dad6d04270 (patch)
tree7da8337337bdd9bf38eda194fb6cccf4fb0fda70
parentf0be43144f1b8719d7342c9288dc8efe2c050e60 (diff)
downloadpoky-d85be1b736069ccad25b552cb1a431dad6d04270.tar.gz
binutls: Security fix for CVE-2017-15996
Affects: <= 2.29.1 (From OE-Core rev: ee5ad659a9f2ea1714e3ae51ca1948f165fb21d3) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch84
2 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index cb0502d..cf131c6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -51,6 +51,7 @@ SRC_URI = "\
51 file://CVE-2017-15025.patch \ 51 file://CVE-2017-15025.patch \
52 file://CVE-2017-15225.patch \ 52 file://CVE-2017-15225.patch \
53 file://CVE-2017-15939.patch \ 53 file://CVE-2017-15939.patch \
54 file://CVE-2017-15996.patch \
54" 55"
55S = "${WORKDIR}/git" 56S = "${WORKDIR}/git"
56 57
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
new file mode 100644
index 0000000..dab8380
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15996.patch
@@ -0,0 +1,84 @@
1From d91f0b20e561e326ee91a09a76206257bde8438b Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Sat, 28 Oct 2017 21:31:16 +1030
4Subject: [PATCH] PR22361 readelf buffer overflow on fuzzed archive header
5
6 PR 22361
7 * readelf.c (process_archive_index_and_symbols): Ensure ar_size
8 field is zero terminated for strtoul.
9 (setup_archive, get_archive_member_name): Likewise.
10
11Upstream-Status: Backport
12Affects: <= 2.29.1
13CVE: CVE-2017-15996
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 binutils/ChangeLog | 7 +++++++
18 binutils/elfcomm.c | 11 +++++++++++
19 2 files changed, 18 insertions(+)
20
21Index: git/binutils/elfcomm.c
22===================================================================
23--- git.orig/binutils/elfcomm.c
24+++ git/binutils/elfcomm.c
25@@ -466,8 +466,12 @@ process_archive_index_and_symbols (struc
26 {
27 size_t got;
28 unsigned long size;
29+ char fmag_save;
30
31+ fmag_save = arch->arhdr.ar_fmag[0];
32+ arch->arhdr.ar_fmag[0] = 0;
33 size = strtoul (arch->arhdr.ar_size, NULL, 10);
34+ arch->arhdr.ar_fmag[0] = fmag_save;
35 /* PR 17531: file: 912bd7de. */
36 if ((signed long) size < 0)
37 {
38@@ -655,7 +659,10 @@ setup_archive (struct archive_info *arch
39 if (const_strneq (arch->arhdr.ar_name, "// "))
40 {
41 /* This is the archive string table holding long member names. */
42+ char fmag_save = arch->arhdr.ar_fmag[0];
43+ arch->arhdr.ar_fmag[0] = 0;
44 arch->longnames_size = strtoul (arch->arhdr.ar_size, NULL, 10);
45+ arch->arhdr.ar_fmag[0] = fmag_save;
46 /* PR 17531: file: 01068045. */
47 if (arch->longnames_size < 8)
48 {
49@@ -758,6 +765,7 @@ get_archive_member_name (struct archive_
50 char *endp;
51 char *member_file_name;
52 char *member_name;
53+ char fmag_save;
54
55 if (arch->longnames == NULL || arch->longnames_size == 0)
56 {
57@@ -766,9 +774,12 @@ get_archive_member_name (struct archive_
58 }
59
60 arch->nested_member_origin = 0;
61+ fmag_save = arch->arhdr.ar_fmag[0];
62+ arch->arhdr.ar_fmag[0] = 0;
63 k = j = strtoul (arch->arhdr.ar_name + 1, &endp, 10);
64 if (arch->is_thin_archive && endp != NULL && * endp == ':')
65 arch->nested_member_origin = strtoul (endp + 1, NULL, 10);
66+ arch->arhdr.ar_fmag[0] = fmag_save;
67
68 if (j > arch->longnames_size)
69 {
70Index: git/bfd/ChangeLog
71===================================================================
72--- git.orig/bfd/ChangeLog
73+++ git/bfd/ChangeLog
74@@ -1,3 +1,10 @@
75+2017-10-28 Alan Modra <amodra@gmail.com>
76+
77+ PR 22361
78+ * readelf.c (process_archive_index_and_symbols): Ensure ar_size
79+ field is zero terminated for strtoul.
80+ (setup_archive, get_archive_member_name): Likewise.
81+
82 2017-09-26 Alan Modra <amodra@gmail.com>
83
84 PR 22205