[OE-core] [ROCKO][PATCH 05/27] binutls: Security fix CVE-2017-14934
Armin Kuster
akuster808 at gmail.com
Wed Aug 8 15:35:00 UTC 2018
From: Armin Kuster <akuster at mvista.com>
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 +
.../binutils/binutils/CVE-2017-14934.patch | 63 ++++++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index fb4ca64..765813d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
file://CVE-2017-14932.patch \
file://CVE-2017-14933_p1.patch \
file://CVE-2017-14933_p2.patch \
+ file://CVE-2017-14934.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
new file mode 100644
index 0000000..57733f0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
@@ -0,0 +1,63 @@
+From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Wed, 27 Sep 2017 10:42:51 +0100
+Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when
+ encountering a CU structure with a small negative size.
+
+ PR 22219
+ * dwarf.c (process_debug_info): Add a check for a negative
+ cu_length field.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14934
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/dwarf.c | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section
+ int level, last_level, saved_level;
+ dwarf_vma cu_offset;
+ unsigned int offset_size;
+- int initial_length_size;
++ unsigned int initial_length_size;
+ dwarf_vma signature_high = 0;
+ dwarf_vma signature_low = 0;
+ dwarf_vma type_offset = 0;
+@@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section
+ num_units = unit;
+ break;
+ }
++ else if (compunit.cu_length + initial_length_size < initial_length_size)
++ {
++ warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
++ dwarf_vmatoa ("x", cu_offset),
++ dwarf_vmatoa ("x", compunit.cu_length));
++ num_units = unit;
++ break;
++ }
++
+ tags = hdrptr;
+ start += compunit.cu_length + initial_length_size;
+
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-09-27 Nick Clifton <nickc at redhat.com>
++
++ PR 22219
++ * dwarf.c (process_debug_info): Add a check for a negative
++ cu_length field.
++
+ 2017-11-01 Alan Modra <amodra at gmail.com>
+
+ Apply from master
--
2.7.4
More information about the Openembedded-core
mailing list