[oe-commits] [openembedded-core] 04/13: binutls: Security fix CVE-2018-6759
git at git.openembedded.org
git at git.openembedded.org
Mon Aug 6 15:33:09 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch sumo
in repository openembedded-core.
commit 8f9b8ee0e7ad6526a3f93a8f0ca8e9fe055fdff6
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sun Aug 5 22:00:28 2018 -0700
binutls: Security fix CVE-2018-6759
Affects <= 2.30
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.30.inc | 1 +
.../binutils/binutils/CVE-2018-6759.patch | 108 +++++++++++++++++++++
2 files changed, 109 insertions(+)
diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc
index 23625d1..1621e5b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -38,6 +38,7 @@ SRC_URI = "\
file://CVE-2018-8945.patch \
file://CVE-2018-7643.patch \
file://CVE-2018-6872.patch \
+ file://CVE-2018-6759.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
new file mode 100644
index 0000000..fff4979
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
@@ -0,0 +1,108 @@
+From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Tue, 6 Feb 2018 15:48:29 +0000
+Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
+ chacking the size of debuglink sections.
+
+ PR 22794
+ * opncls.c (bfd_get_debug_link_info_1): Check the size of the
+ section before attempting to read it in.
+ (bfd_get_alt_debug_link_info): Likewise.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-6759
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ bfd/ChangeLog | 7 +++++++
+ bfd/opncls.c | 22 +++++++++++++++++-----
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+Index: git/bfd/opncls.c
+===================================================================
+--- git.orig/bfd/opncls.c
++++ git/bfd/opncls.c
+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+ bfd_byte *contents;
+ unsigned int crc_offset;
+ char *name;
++ bfd_size_type size;
+
+ BFD_ASSERT (abfd);
+ BFD_ASSERT (crc32_out);
+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+ if (sect == NULL)
+ return NULL;
+
++ size = bfd_get_section_size (sect);
++
++ /* PR 22794: Make sure that the section has a reasonable size. */
++ if (size < 8 || size >= bfd_get_size (abfd))
++ return NULL;
++
+ if (!bfd_malloc_and_get_section (abfd, sect, &contents))
+ {
+ if (contents != NULL)
+@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+
+ /* CRC value is stored after the filename, aligned up to 4 bytes. */
+ name = (char *) contents;
+- /* PR 17597: avoid reading off the end of the buffer. */
+- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++ /* PR 17597: Avoid reading off the end of the buffer. */
++ crc_offset = strnlen (name, size) + 1;
+ crc_offset = (crc_offset + 3) & ~3;
+- if (crc_offset + 4 > bfd_get_section_size (sect))
++ if (crc_offset + 4 > size)
+ return NULL;
+
+ *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+ bfd_byte *contents;
+ unsigned int buildid_offset;
+ char *name;
++ bfd_size_type size;
+
+ BFD_ASSERT (abfd);
+ BFD_ASSERT (buildid_len);
+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+ if (sect == NULL)
+ return NULL;
+
++ size = bfd_get_section_size (sect);
++ if (size < 8 || size >= bfd_get_size (abfd))
++ return NULL;
++
+ if (!bfd_malloc_and_get_section (abfd, sect, & contents))
+ {
+ if (contents != NULL)
+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+
+ /* BuildID value is stored after the filename. */
+ name = (char *) contents;
+- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++ buildid_offset = strnlen (name, size) + 1;
+ if (buildid_offset >= bfd_get_section_size (sect))
+ return NULL;
+
+- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
++ *buildid_len = size - buildid_offset;
+ *buildid_out = bfd_malloc (*buildid_len);
+ memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2018-02-06 Nick Clifton <nickc at redhat.com>
++
++ PR 22794
++ * opncls.c (bfd_get_debug_link_info_1): Check the size of the
++ section before attempting to read it in.
++ (bfd_get_alt_debug_link_info): Likewise.
++
+ 2018-02-09 Nick Clifton <nickc at redhat.com>
+
+ Import patch from mainline:
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list