[OE-core] [SUMO][PATCH 01/12] binutils: Security fix CVE-2018-8945

Khem Raj raj.khem at gmail.com
Mon Aug 6 17:27:15 UTC 2018 

this series is ok. Although a single patch would be ok as well.
On Mon, Aug 6, 2018 at 7:29 AM Armin Kuster <akuster808 at gmail.com> wrote:
>
> From: Armin Kuster <akuster at mvista.com>
>
> Affects <= 2.30
>
> Signed-off-by: Armin Kuster <akuster at mvista.com>
> ---
>  meta/recipes-devtools/binutils/binutils-2.30.inc   |  1 +
>  .../binutils/binutils/CVE-2018-8945.patch          | 70 ++++++++++++++++++++++
>  2 files changed, 71 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc
> index 9c883ac..349fa5a 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.30.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
> @@ -35,6 +35,7 @@ SRC_URI = "\
>       file://0013-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
>       file://0014-Detect-64-bit-MIPS-targets.patch \
>       file://0015-sync-with-OE-libtool-changes.patch \
> +     file://CVE-2018-8945.patch \
>  "
>  S  = "${WORKDIR}/git"
>
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch
> new file mode 100644
> index 0000000..6a43168
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch
> @@ -0,0 +1,70 @@
> +From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
> +From: Nick Clifton <nickc at redhat.com>
> +Date: Tue, 8 May 2018 12:51:06 +0100
> +Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
> + fuzzed input file with corrupt string and attribute sections.
> +
> +       PR 22809
> +       * elf.c (bfd_elf_get_str_section): Check for an excessively large
> +       string section.
> +       * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
> +       attribute section is larger than the size of the file.
> +
> +Upsteram-Status: Backport
> +Affects: Binutils <= 2.30
> +CVE: CVE-2018-8945
> +Signed-off-by: Armin kuster <akuster at mvista.com>
> +---
> + bfd/ChangeLog   | 8 ++++++++
> + bfd/elf-attrs.c | 9 +++++++++
> + bfd/elf.c       | 1 +
> + 3 files changed, 18 insertions(+)
> +
> +Index: git/bfd/elf-attrs.c
> +===================================================================
> +--- git.orig/bfd/elf-attrs.c
> ++++ git/bfd/elf-attrs.c
> +@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
> +   /* PR 17512: file: 2844a11d.  */
> +   if (hdr->sh_size == 0)
> +     return;
> ++  if (hdr->sh_size > bfd_get_file_size (abfd))
> ++    {
> ++      /* xgettext:c-format */
> ++      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
> ++                        abfd, hdr->bfd_section, (long long) hdr->sh_size);
> ++      bfd_set_error (bfd_error_invalid_operation);
> ++      return;
> ++    }
> ++
> +   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
> +   if (!contents)
> +     return;
> +Index: git/bfd/elf.c
> +===================================================================
> +--- git.orig/bfd/elf.c
> ++++ git/bfd/elf.c
> +@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
> +       /* Allocate and clear an extra byte at the end, to prevent crashes
> +        in case the string table is not terminated.  */
> +       if (shstrtabsize + 1 <= 1
> ++        || shstrtabsize > bfd_get_file_size (abfd)
> +         || bfd_seek (abfd, offset, SEEK_SET) != 0
> +         || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
> +       shstrtab = NULL;
> +Index: git/bfd/ChangeLog
> +===================================================================
> +--- git.orig/bfd/ChangeLog
> ++++ git/bfd/ChangeLog
> +@@ -1,3 +1,11 @@
> ++2018-05-08  Nick Clifton  <nickc at redhat.com>
> ++
> ++       PR 22809
> ++       * elf.c (bfd_elf_get_str_section): Check for an excessively large
> ++       string section.
> ++       * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
> ++       attribute section is larger than the size of the file.
> ++
> + 2018-02-07  Alan Modra  <amodra at gmail.com>
> +
> +       Revert 2018-01-17  Alan Modra  <amodra at gmail.com>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list